Fixlet MS09-035 Vulnerabilities in Visual Studio False Positive

(imported topic written by mgardner28)

I have a Windows 7 system that is showing that it needs Fixlet MS09-35. It has already been installed. When I run the fixlet it reports failed. I have manually installed this on the system and it still reports that it is needed. If I rerun the fixet it again shows failed but still applicapable.

(imported comment written by JackCoates91)

Hi,

what happens if you check the relevance statements on the system in question?

To do this if you haven’t done it before:

  1. get the Fixlet Debugger from here: http://support.bigfix.com/fixlet/

  2. Copy the relevance from the Fixlet that you’re not sure about, and paste it into the debugger’s QnA window.

  3. put a "q: " in front of each clause and make sure there are no newlines (you’ll see the syntax colorize when you’ve done this).

  4. press F5 to evaluate.

If anything evaluates to an error message or

true

, check it against reality. If it seems to be wrong, it might be a bug in Fixlet Debugger or a bug in the Fixlet. In either case, we’d like to hear about it.

Thanks,

Jack

(imported comment written by mgardner28)

I have this occuring on several machines now. Most of them are Windows 2008 Server R2. All parts of the relevance initially come back as true. If I completly uninstall “Microsoft Visual C++ 2005 Redistributable” then the Fixlet is no longer relevant. Once I manually reinstall with the version that is in the download link of the Fixlet then Fixlet MS09-035 becomes relevant again. The only version that shows installed now is Microsoft Visual C++ 2005 Redistributable Version 8.0.56336. Any suggestions as to what I should do next?

(imported comment written by JackCoates91)

Just to make sure I’m following, sounds like the Visual C++ 2005 redistributable that comes with some products can’t be fixed by the downloaded redistributable and must be uninstalled first?

We’ll keep looking at this, thanks.

(imported comment written by mcalvi91)

same symptom. the patch has been applied multiple times and rebooted with no effect on Win 7 SP1 systems.

(imported comment written by mgardner28)

It appears that the 64 bit fixlet for MS09-035 worked. I only had two sytems that showed it relevant. The fixlet completed successfully. The 32 bit version still fails as of this morning.

(imported comment written by nberger91)

Anyone identified the issue/workaround ?

I still have hosts reporting relevant to ‘MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution - Visual C++ 2005 SP1 Redistributable Package’. The patch installs, then reports back status of ‘Failed’ after reboot. Nothing in the event log indicates why. According to the msft bulletin summary, the relevance looks fine. How do I patch them, or fix the reporting (if wrong) ? :slight_smile:

(imported comment written by mgardner28)

I’d like to know how to resolve this issue soon. I have to submit a monthly report and I don’t want to show this as a vulnerability. Right now the only way I can clear(not relevant) it is to completely uninstall Microsoft Visual C++ 2005 Redistributable. This is not a good option.

Thanks

(imported comment written by JackCoates91)

Hi,

our testbed is not showing this issue, which means that it won’t go away until we get some data on the differences between systems where it happens and systems where it doesn’t. At this point, it sounds like the Visual C++ 2005 redistributable that comes with some products can’t be fixed by the downloaded redistributable and must be uninstalled first. Which products? What’s different about the redistributable?

(imported comment written by nberger91)

vSphere client has a dependancy on this, which wont update (the patch installs, yet the fixlet returns ‘Failed’ after reboot).

We cannot isolate this to physical versus virtual hosts, or installed application ?? What I do know is vSphere client wont be the only application with the C++ dependancy …

(imported comment written by sunbigfix91)

i’m facing the same issue, i have vmware vsphere client on my machine and it showing, “Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution - Visual C++ 2005 SP1 Redistributable Package”

(imported comment written by mgardner28)

My machines have vSphere client installed as well. This seems to be the common application. Any suggestions? Do you need more information?

Thanks

(imported comment written by mgardner28)

I uninstalled vSphere client and Visual C++ 2005 SP1 Redistributable Package. Restarted server. Relevance for fixlet MS09-35 was then false. I reinstalled Visual C++ SP1 Redistributable Package using the Software Distribution Wizard with the file from the link in the fixlet. The version for Visual C++ SP1 Redistributable Package shown in Programs and Features is 8.0.59193. Restarted server. Relevance for fixlet MS09-35 was then True. This should be False at this point. Am I missing something? I have not re-installed vSphere client yet.

Thanks

(imported comment written by mgardner28)

The 64 bit version of this fixlet has this relevance.

not exists keys whose ((value “DisplayName” of it = “Microsoft Visual C++ 2005 Redistributable (x64)”) and (value “DisplayVersion” of it as string >= “8.0.59192”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry

The 64 bit fixlet works fine.

It looks to me like the 32 bit version should have similiar relevance. Maybe something like this.

not exists keys whose ((value “DisplayName” of it = “Microsoft Visual C++ 2005 Redistributable”) and (value “DisplayVersion” of it as string as version >= “8.0.59193”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry

Thanks

(imported comment written by nberger91)

64bit fails for me where vSphere 4.0 and 4.1 are installed. Can someone at BigFix or anyone in the forum community reach out to VMWare on this ?

(imported comment written by mgardner28)

My servers with vSphere 4.1 worked fine with the 64bit version. The 32bit version fails every time.

(imported comment written by mcalvi91)

My x64 system has VSphere console installed as well. to throw a monkey wrench in though, we had some server systems showing the same issue without vSphere but they were 64bit.

(imported comment written by delichty91)

I have been fighting this same issue for a couple of weeks now. The Visual C++ 2008 Redistributable version of MS09-035 works just fine, it is only the Visual C++ 2005 Redistributable version that does not function correctly.

In my case, each attempt to execute the Fixlet results in an exit code of 0. When viewing the properties of the Applicable Computers, this patch already shows up under “Installed Applications - Windows”.

On thing I have noticed in my environment, it appears that only Windows 7 systems with Service Pack 1 are not working properly. Those Windows 7 systems that do not have Service Pack 1 installed are working just fine.

In looking through the relevance statements (please bare with me, I am a newbie when it comes to the relevance language stuff), it appears there may be an error in Relevance 6.

Within the “if” segment it tests for:

(name of it = “Win7”) AND service pack major version of it = 0

In the case of my Win7SP1 machines, this segment evaluates as FALSE.

When I test the complete “if” segment of Relevance 6 I also get a FALSE result.

Since the if…then…else construct concludes with:

else true

The entirety of Relevance 6 is resulting as TRUE.

A test of the “then” segment of Relevance 6, which I believe is checking the versions of the affected files, results as FALSE.

My conclusion: Relevance 6 needs to be rewritten to include Win7 Service Pack 1.

Then again, I could be

WAY

off base here.

I welcome your comments/suggestions.

Thanks

(imported comment written by mgardner28)

A few good suggestions here. Hopefully someone from BigFix will let us know something soon.

(imported comment written by SystemAdmin)

We’re looking into this issue. It definitely has something to do with the way the relevance is being evaluated; it really shouldn’t be additional software that’s affecting your systems. We’ll publish an updated version of the Fixlet soon and hopefully it’ll solve your problems. Thanks for all your input. It does help us narrow down the potential problems.