KB2896666 incorrect relevance

(imported topic written by Andrew_TEM)

The fixlet published for Microsoft’s FixIt 2896666 does not appear to have accurate relevance. According to the fixlet, it is showing applicable across our entire Windows Server infrastructure that is made up of 2003 and 2008R2 servers. According to the below Microsoft article, the security advisory does not deem Server 2003 or Server 2008R2 as affected. We do not have Office or Lync installed on these servers.

https://technet.microsoft.com/en-us/security/advisory/2896666

Please review the relevance written for fixlet ID 289666601.

Thank you,

Andrew

(imported comment written by sylviabeing)

Hi Andrew,

I totally understood your concern. Microsoft says the vulnerability is affecting Windows Vista & 2008 + Office & Lync only. Microsoft states that there is a vulnerability existing in the way affected components handle specially crafted TIFF images and Microsoft has provided a workaround by disabling the TIFF codec.

If you look into the details of the
Microsoft Fix it
given by Microsoft, it simply provides an automatic way of enable or disable the workaround - Disable the TIFF codec.

Our testing results show that this fix can be installed to different OS from Win XP to Windows 2008 R2 without requiring the existence of Office product. The Fixlet we have provided is following this applicability.

(imported comment written by CSL2012)

Sylvia,

I would have to disagree. The Knowledge Base exist for a specific reason, it helps define the parameters in which Change Management is approached. Example…Say we do deploy this and ignore what’s been stated in the KB article on other OS’s but then something happens and those non-affected OS do not function properly. Then it’s no longer a Microsoft issue because what’s been defined in the kb article was ignored and Support will not be provided even if the root cause is not the hot-fix itself. Also, side note, this becomes a legal nightmare.

chi

(imported comment written by sylviabeing)

Hi Chi,

Thank for sharing your concern and it seems valid to me.

We will look into this case to see what we can do to be more aligned with MS information.

Thanks,

Sylvia

(imported comment written by CSL2012)

Thank you.

Chi

(imported comment written by sylviabeing)

Hi Andrew and Chi,

Microsoft has updated some information for this Security Advisory, clarified the scope of the active attacks, clarified affected software configurations, and revised workarounds today. This information is helpful for us to identify the affected system more accurately.

Though there is quite a complex about the attack range, we will try our best to be align with Microsoft’s statement.

Regards,

Sylvia

(imported comment written by CSL2012)

Thanks. I do have to agree, this is a complex exploit.

Chi

(imported comment written by sylviabeing)

Hi chi,

We have a draft relevance for the detection. Would you mind try it in your environment?

Thanks & Regards,

Sylvia