|
|
We have discovered installing this latest ActiveX killbits update
results in the error message, "Unable to load client print control,"
when a user clicks the print button inside of a report generated by SQL
2005 Reporting Services.
We're an IE7/XP Pro SP3 shop; anyone else seeing this?
~JasonG
--
|
|
"Jason Gurtz" <jasonNOgurtz[ at ]npuSPAMmail.com> wrote in message
news:eNnSNbcPJHA.764[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] > Re: KB956931 Breaks SQL2k5 RS printing ActiveX
KB956931 doesn't exist; I suspect you meant KB956391.
http://www.microsoft.com/technet/security/advisory/956391.mspx
> We have discovered installing this latest ActiveX killbits update
> results in the error message, "Unable to load client print control,"
> when a user clicks the print button inside of a report generated by SQL
> 2005 Reporting Services.
>
> We're an IE7/XP Pro SP3 shop; anyone else seeing this?
Apparently SSRS used of one of the security holes plugged by that update.
A previous SQLServer update modified how SSRS uses Active X to not use that
security hole, which was released on 9.9.08. This update was designed to
plug the hole now that SSRS quit using it:
===========================================================================
This update sets the kill bits for ActiveX controls addressed in previous
Microsoft Security Bulletins.
These kill bits are being set in this update as a defense in depth measure:
• Unsafe Functions in Office Web Components (328130), MS02-044.
• Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code
Execution (933103), MS08-017.
• Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft
Access Could Allow Remote Code Execution (955617), MS08-041.
• Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593),
MS08-052.
For more information about installing this update, see Microsoft Knowledge
Base Article 956391.
===========================================================================
The fix is in MS08-052/KB965606:
MS08-052: Description of the security update for GDI+ for SQL Server 2005
Service Pack 2 GDR: September 9, 2008
http://support.microsoft.com/kb/954606
NOTE: Always be sure ALL of your products are being updated, and preferably
in chronological order.
It's not unexpected at all that a fix for 'product 'A' will break something
that was modified in a previous update to product 'B' -- particularly where
Security Updates are concerned. In this particular instance, a security hole
existed, but was not plugged because it would have broken the operation of
SSRS, so first MS08-052 fixed that by updating SSRS, which then allowed a
revised "Cumulative Update for ActiveX Killbits", which plugged the hole
being used by SSRS.
Installing MS08-052 previously would have avoided this issue.
I would suggest, also, a review to see which other Security Updates may be
missing from your systems.
--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
|
|
Lawrence Garvin (MVP) wrote:
[Quoted Text] [...]
> Apparently SSRS used of one of the security holes plugged by that update.
>
> A previous SQLServer update modified how SSRS uses Active X to not use that
> security hole, which was released on 9.9.08. This update was designed to
> plug the hole now that SSRS quit using it:
You hit the nail on the head for both counts Lawrence. Butter fingered
the KB # and our production database servers have the least aggressive
patching schedule and indeed are missing MS08-052.
Quite relieved to know the reason as it was a bit frustrating to see
literally nothing in Google about this affecting anyone and definitely
being able to recreate the issue. Many thanks!
~JasonG
--
|
|
|