Issue with CVE-2017-8529 (Patches for Windows)?

Fixlets 170852903 (“Enable Solution to CVE-2017-8529”) and 170852901 (“Disable Solution to CVE-2017-8529”) appear to no longer be Relevant in my organization.

These Fixlets control adding & removing additional registry keys that were required after applying the September 2017 rollup packages (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX”)

Nessus says that my systems are vulnerable to CVE-2017-8529 based on the missing registry keys.

On a machine that does not have the mitigating registry key applied, I’m getting a False for Relevance 4
number of (elements of ((set of (if (exists key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) then elements whose ((it contains "4036586" OR it contains "4038777" OR it contains "4038781" OR it contains "4038782" OR it contains "4038783" OR it contains "4038788" OR it contains "4038792" OR it contains "4038799") AND it does not contain "_") of (set of ((substrings before "~" of substrings after "for_" of names of keys whose (name of it contains "for_" AND (it = 96 or it = 112 or it = 6 or it = 7) of (value "CurrentState" of it as integer)) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) as uppercase)) else (nothing))))) > 0

My system is currently running on Win10 1709. I’ve applied the rollups through March 2018.
I also have a number of Windows 10 build 1607 clients in the deployment that are also not relevant to either of these fixlets.

I suspect this is a false-negative detection on the Fixlets based on the Fixlets not being updated with all of the current update rollup packages, but wanted to check if there were any thoughts on this before I PMR’d it.

If it helps, I generated my update list from that relevance and removed the filter for individual patch names, and get the following:

q: (elements of ((set of (if (exists key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) then elements whose ((TRUE /* Removed patch list: it contains "4036586" OR it contains "4038777" OR it contains "4038781" OR it contains "4038782" OR it contains "4038783" OR it contains "4038788" OR it contains "4038792" OR it contains "4038799" */ ) AND it does not contain "_") of (set of ((substrings before "~" of substrings after "for_" of names of keys whose (name of it contains "for_" AND (it = 96 or it = 112 or it = 6 or it = 7) of (value "CurrentState" of it as integer)) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) as uppercase)) else (nothing)))))
A: 
A: 31BF3856AD364E35
A: AMD64
A: KB4054022
A: KB4056887
A: KB4074595
A: KB4074608
A: KB4088776
A: KB4088785
A: ROLLUPFIX
T: 157.089 ms
I: plural string
1 Like

Hello JasonWalker or others…
Did you resolve this? Via PMR or other method?

It seems we’re facing this same situation with a large number of Windows Servers (2008 and 2012) missing these registry keys due to the same fixlet relevance…and Nessus is flagging it.

No, I just made custom fixlets.

It looks like fixlet has been updated to reflect the correct set of dependency updates?

number of (elements of ((set of (if (exists key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) then elements whose ((it contains "4036586" OR it contains "4038777" OR it contains "4038781" OR it contains "4038782" OR it contains "4038783" OR it contains "4038788" OR it contains "4038792" OR it contains "4038799" OR it contains "4038801" OR it contains "4040685" OR it contains "4040724" OR it contains "4041676" OR it contains "4041681" OR it contains "4041688" OR it contains "4041689" OR it contains "4041690" OR it contains "4041691" OR it contains "4041693" OR it contains "4042895" OR it contains "4047206" OR it contains "4048952" OR it contains "4048953" OR it contains "4048954" OR it contains "4048956" OR it contains "4049370" OR it contains "4051033" OR it contains "4052231" OR it contains "4052232" OR it contains "4052978" OR it contains "4053578" OR it contains "4053579" OR it contains "4053580" OR it contains "4053581" OR it contains "4055254" OR it contains "4056568" OR it contains "4056888" OR it contains "4056890" OR it contains "4056891" OR it contains "4056893" OR it contains "4057142" OR it contains "4057144" OR it contains "4074590" OR it contains "4074591" OR it contains "4074592" OR it contains "4074596" OR it contains "4074736" OR it contains "4075199" OR it contains "4075200" OR it contains "4077528" OR it contains "4088779" OR it contains "4088782" OR it contains "4088786" OR it contains "4088787" OR it contains "4088889" OR it contains "4088891" OR it contains "4089187" OR it contains "4092077" OR it contains "4092946" OR it contains "4093107" OR it contains "4093109" OR it contains "4093111" OR it contains "4093117" OR it contains "4093119" OR it contains "4093120" OR it contains "4096040" OR it contains "4096309" OR it contains "4103716" OR it contains "4103720" OR it contains "4103722" OR it contains "4103723" OR it contains "4103731" OR it contains "4103768" OR it contains "4230450" OR it contains "4284830" OR it contains "4284833" OR it contains "4284860" OR it contains "4284874" OR it contains "4284880") AND it does not contain "_") of (set of ((substrings before "~" of substrings after "for_" of names of keys whose (name of it contains "for_" AND (it = 96 or it = 112 or it = 6 or it = 7 or it = 80) of (value "CurrentState" of it as integer)) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry) as uppercase)) else (nothing))))) > 0 OR (if ((name of it = "Win10" OR name of it = "Win2016" OR (it starts with "Win") of name of it AND (exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10 AND value "ReleaseID" of it as string = "1607" ) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) of operating system ) then ((it as integer > 1715) of value "UBR" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) else false) OR (if ((name of it = "Win10" OR (it starts with "Win") of name of it AND (exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10 AND value "ReleaseID" of it as string = "1703" ) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) of operating system ) then ((it as integer > 608) of value "UBR" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) else false)
1 Like