Detection flaw in fixlet for MS13-090 (KB2900986)?

Is anyone seeing possible false positives for Ms13-090? I’m seeing a few and the patch fails to install and reports its already installed. The KB does not appear in View Installed updates to permit removal. MBSA scans do not show the patch as required. I have checked the relevance and I believe the detection is flawed when compared to the info from Microsoft’s KB https://support.microsoft.com/en-gb/kb/2900986. The fixlets are look for decimal hex value 00000400 (decimal 1024) in all registry keys where as Microsoft KB indicate that 00000400 in one hive and 04000400 (decimal 67109888) in all other keys. The machines with the false positives all have the values as per the Microsoft KB.

I suspect the registry keys are set by a later update so the KB strings that the fixlet checks for in the serving sections of the registry do not exist .

Regs
Rob

Hey Rob, private messaging you about this, and will escalate to content dev team…

Thanks @BigFixNinja. Have sent you the details.

Thanks for reporting the issue!

Custom copy for Fixlet 1309031 has been sent to BigfixNinja. Surely he will share it with you (Rob). Please let us know how it works.

Regards,

Hi @sylvia. The custom fixlets @BigFixNinja has supplied for 1309019 and 1309031 are indeed fixing the detection issue we are seeing.

Thanks & Regs
Rob

Just for your information. The reported fixlets have been replaced by the following new IDs:

MS13-090: Cumulative Security Update of ActiveX Kill Bits - Windows 7
SP1 - KB2900986 (x64) (ID: 1309065)
MS13-090: Cumulative Security Update of ActiveX Kill Bits - Windows
Server 2012 Gold - KB2900986 (x64) (ID: 1309043)

Published site version:

Patches for Windows, version 2446.

1 Like

Thank you @Sylvia and @BigFixNinja. We are no longer seeing the false positives

Regs
Rob