M/S Office Web Componets Security Updates

(imported topic written by VIANXW91)

I have a Windows Server 2008 Enterprise SP2 (64-Bit) running as a BES which is running the BigFix client and Windows Automatic Update (AU) configured to an internal WSUS server.

Windows Update is showing the following security updates as needed because Microsoft Office 2003 Web Components is installed. Web Components is required as part of the BigFix installation.

MS09-062: Security Update for the 2007 Office system: October 13, 2009

MS08-052: Security Update for GDI+ for the 2007 Office system:

Update for the 2007 Microsoft Office System (KB967642)

The problem is that BigFix does not show these security updates as relevant to the server.

It would appear that, since actual Microsoft Office is not installed on the server then the BigFix analysis “Microsoft Office Configuration Information†is not showing as available to activate so therefore BigFix is not applying any Microsoft Office relevance logic. In short, BigFix isn’t offering these updates for install.

Since Web Components is installed and considered a part of Microsoft Office, shouldn’t BigFix be verifying relevance to applicable Office security updates. Otherwise without Windows Update an administrator would never know the server is vulnerable to the exploit called out in the security updates. If Microsoft shows the updates as applicable, shouldn’t BigFix?

(imported comment written by BenKus)

Hi vianxw,

The “Microsoft Office Configuration Information” isn’t directly related to any of the Fixlets. I don’t know why those MS bulletins aren’t relevant but there are lots of MS08-052 and MS09-062 Fixlets to detect different components that have these issues. We would need to look into it in detail to figure out if the patch was needed. KB967642 is not security related.