GDI+ Vulnerability Relevance Needless Complexity

Is there a reason that the various “GDI+ Remote Code Execution Vulnerability” Fixlets in the “Vulnerabilities to Windows Systems” (http://sync.bigfix.com/cgi-bin/bfgather/vulnwindows) have so much repeated logic in the main Relevance statement?
It’s over 70,000 characters sometimes (not counting whitespace when expanded), but most of that is a series of “or” statements which each only vary by a few sub-statements.

Looking at, say, Fixlet ID 745101, “GDI+ Remote Code Execution Vulnerability - CVE-2020-0964”.

First let’s ignore that the Site Level Relevance duplicates Relevance 1 of the Fixlet to find Windows machines. That’s fine-ish, the Fixlet should stand on its own.

There are 32 “or” statements, so that’s 33 statements this thing is matching.
Each and every one of these “or” statements is matching “windows of operating system” first. Why? Not only does the Site already require it, not only does the Fixlet already cover it in the very first relevance statement, we have this nifty thing called “AND” that we could wrap the entire thing in, like “windows of operating system AND ({insert 33 or statements here})”

Oh, but it gets better. For example, we have this lovely statement:

Yes that’s 2 identical statements except that one is checking for any Server 2012, and the other is checking for any Server 2012 whose InstallationType it = “server core”. Which is already matched by the original… which comes before the “server core” check.

I’ve got 10 OR statements checking for it = “x86” in the exact same registry key, 13 looking for AMD64 using regex to ensure it’s case insensitive, while I’ve got a pair of matches for “ia64” that match “it as lowercase” thus avoiding calling up the regex…

But wait, there’s more!


These 2 are combined with an AND statement. Do I really need to chug through the registry twice to match this file version being between 5 and 5.2.7601.24552? I’m not very good at BigFix Relevance, but something tells me there’s a more efficient way.

So I ask again… is there a good reason for this to be so complex and yet so redundant? Am I missing something (besides of course the usual pressures of not enough hours in the day to make things efficient, we’ve all been there)?

It’s possible that it is programmatically generated like the windows patches. While technically correct, it’s often not the most efficient. Just a guess.