Content in the Patches for Windows site has been modified
Reason for Update:
Actions to Take:
Published site version:
Site Name: Patches for Windows
Version: 4468
Additional links:
Application Engineering Team
HCL BigFix
HCL / SJPUTMAN,
For the second time in less then two weeks, I think you have broke the Disable fixlet. My environment has at least 1,500 that should be relevant and it’s now down to 249 and dropping further for a second time. I believe the enable fixlet is also broke, as there are more relevant endpoints then I believe I should have… but not spending time to 100% verify as it may just be from offline endpoints or similar.
Hi @DerrickD ,
According to the MSRC page for the WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900), Microsoft modified the data type of “EnableCertPaddingCheck” = 1 from REG_SZ to REG_DWORD on Nov 12,2024. As a result, we have updated our fixlets to check for the “EnableCertPaddingCheck” = 1 specifically as REG_DWORD.
Therefore, machines with the registry setting 1 as “REG_SZ,” based on Microsoft’s initial recommendation, will still be applicable to the “Enable Hardening Fixlet,” as the relevance specifically targets “REG_DWORD.”
Machines with 1 as “REG_SZ” will not become applicable to the “Disable Hardening Fixlet,” as hardening is not enabled on them according to the new setting, i.e., “EnableCertPaddingCheck” = 1 as REG_DWORD.
Thanks.
Wow! Very interesting change made by Microsoft.
Thanks for pointing out that information, I was completely unaware.
This topic was automatically closed after 30 days. New replies are no longer allowed.