Microsoft Patch Tuesday Detail / Summary Report?

Reporting
1

(imported topic written by tscott91)

Hello, I was wondering if someone could help me create a report that would show the patches along with their description and file size for each patch Tuesday…

Basically I’m wanting something like this…

A drop down that has dates you can select (the patch Tuesday dates)… You select the date (IE: June 8th) and submit… Once submitted it has:

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows XP SP2/SP3

Description

Microsoft has released a security update that resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

After downloading and installing this update, affected computers will no longer be susceptible to these vulnerabilities.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Note: This security update is also referenced under KB979559.

File Size:

1.41 MB

MS10-033: Vulnerabilities in Media Decompression Could Allow Remote Code Execution - Quartz.dll (DirectShow) - Windows XP SP2/SP3

Description

Microsoft has released a security update that resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

After downloading and installing this update, affected computers will no longer be susceptible to these vulnerabilities.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Note: Microsoft has announced that this update may be included in a future service pack or update rollup.

Note: This security update is also referenced under KB975562.

File Size:

1022 KB

And so on…

Reason I need something like this is we have a change control board and I have to manually copy / paste all this info in a doc to submit to them regarding any patches I install.

Thanks!

2

(imported comment written by BenKus)

Hi tscott,

Try this:

  1. Use the presentation debugger (set to html) – http://support.bigfix.com/cgi-bin/kbdirect.pl?id=508 – or the Excel Connector – http://support.bigfix.com/labs/excelconnect.html .

  2. Use this session relevance:

concatenation “

” of messages of bes fixlets whose (source of it = “Microsoft” and source release date of it = “08 jun 2010” as date)
3

(imported comment written by tscott91)

Thanks much for the reply Ben!

That’s a good start… However, two questions…

  1. Anyway to eliminate the duplicates? (IE: the multiple MSXX articles for each OS and dispaly each MSXX just once?)

  2. So it’s not possible to get this as a saved report? I would have to go about it like above and then just copy / paste the results?

Thanks again!

Tom

4

(imported comment written by BenKus)

This one should eliminate duplicates. I also modified it so that it will look at the last Patch Tuesday (second Tues of month) so you won’t have to hard code the date manually.

concatenation “

” of htmls(it) of unique values of (it as string) of messages of bes fixlets whose (source of it = “Microsoft” and source release date of it = (first tuesday of month_and_year of current date + 1 * week))

You can open up web reports and drop this code into a web report and save it… You just need to add relevance pre and post tags like this:

<?Relevance session relevance goes here ?>

Ben

5

(imported comment written by tscott91)

Thanks for the reply…

Forgive me as I’m still very new to BigFix… I’m taking 201 and 202 hopefully this month or next… Can you give a quick step by step?

I went into webreports, clicked create, and chose blank report… I then pasted your bold code into it and clicked store. .It didn’t work. :frowning:

6

(imported comment written by BenKus)

Try pasting this in your blank report:

<?Relevance concatenation "
" of htmls(it) of unique values of (it as string) of messages of bes fixlets whose (source of it = "Microsoft" and source release date of it = (first tuesday of month_and_year of current date + 1 * week)) ?>

Ben

7

(imported comment written by tscott91)

Almost there! :smiley:

  1. Anyway to get the MSXX numbers as well?

  2. I get a bit of funky output (pasted below).

Microsoft has released a security update that resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

After downloading and installing this update, affected computers will no longer be susceptible to this vulnerability.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Important Note: There are known issues associated with the installation of this update. See the Known Issues section of the security bulletin for more information.

Important Note: In addition to this update, customers also need to install the update for 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2 (KB982312) to be protected from the vulnerability described in this bulletin.

Note: Microsoft has announced that this update will be included in a future service pack or update rollup.

Note: This security update is also referenced under KB982127.

Note: If this patch has already been installed on computers reporting relevant, it means that one or more files updated by the patch have been downgraded to unsafe versions. In order to ensure security, it is recommended that the patch be reinstalled.

File Size:

15.5 MB

Microsoft has released a security update that resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

After downloading and installing this update, affected computers will no longer be susceptible to this vulnerability.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Important Note: There are known issues associated with the installation of this update. See the Known Issues section of the security bulletin for more information.

Important Note: In addition to this update, customers also need to install the update for 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2 (KB982312) to be protected from the vulnerability described in this bulletin.

Note: Microsoft has announced that this update will be included in a future service pack or update rollup.

Note: This security update is also referenced under KB982127.

Note: If this patch has already been installed on computers reporting relevant, it means that one or more files updated by the patch have been downgraded to unsafe versions. In order to ensure security, it is recommended that the patch be reinstalled.

File Size:
15.5 MB

8

(imported comment written by BenKus)

OK… try this:

<?Relevance concatenation "
" of unique values of (it as string) of (h2 of name of it & br & message of it ) of bes fixlets whose (source of it = "Microsoft" and name of it starts with "MS" and source release date of it = (first tuesday of month_and_year of current date + 1 * week)) ?>

Ben

9

(imported comment written by tscott91)

No dice :frowning:

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows 2000 SP4 - CORRUPT PATCH

The listed computers have faulty installations of a patch for the vulnerability described in MS10-032. Some files being used by these computers have versions earlier than those of the corresponding files installed by the patch. Services or applications installed after the patch was distributed may have overwritten the files, or the initial installation may have been faulty. We recommend reinstalling this patch to ensure the safety of affected computers.

Microsoft has released a security update that resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

After downloading and installing this update, affected computers will no longer be susceptible to these vulnerabilities.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Note: Microsoft has announced that this update may be included in a future service pack or update rollup.

Note: This security update is also referenced under KB979559.

File Size:
1.25 MB

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows 2000 SP4

Microsoft has released a security update that resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

After downloading and installing this update, affected computers will no longer be susceptible to these vulnerabilities.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Note: Microsoft has announced that this update may be included in a future service pack or update rollup.

Note: This security update is also referenced under KB979559.

File Size:
1.25 MB

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows 7 (x64)

Microsoft has released a security update that resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

After downloading and installing this update, affected computers will no longer be susceptible to these vulnerabilities.

Note: Affected computers may report back as ‘Pending Restart’ once the update has run successfully, but will not report back their final status until the computer has been restarted.

Note: Microsoft has announced that this update may be included in a future service pack or update rollup.

Note: This security update is also referenced under KB979559.

File Size:

10

(imported comment written by Lee Wei)

Try this

<?Relevance html (concatenation "
" of unique values of (it as string) of (h2 of name of it & br & message of it ) of bes fixlets whose (source of it = "Microsoft" and name of it starts with "MS" and source release date of it = (first tuesday of month_and_year of current date + 1 * week))) ?>
11

(imported comment written by tscott91)

That one formats nicely… Gives me the MSXX and the description etc… However, it has the duplicates and not just one for each MSXX.

Thanks

12

(imported comment written by tscott91)

Is everyone giving up? :smiley:

13

(imported comment written by Lee Wei)

Please try this report:

<h2>Current Microsoft Security Bulletins</h2> <?relevance first tuesday of month_and_year of current date + 1 * week ?><hr> <div id=
"resultsDiv"></div>   <script language = 
"JavaScript" >   window.onload = init;   function init() 
{ var relevanceStatement = 
'unique values of (it as string) of (h3 of name of it & "||" & message of it) of bes fixlets whose (source of it = "Microsoft" and name of it starts with "MS" and name of it as lowercase does not contain "corrupt patch" and source release date of it = (first tuesday of month_and_year of current date + 1 * week)) '; var results = []; results = EvaluateRelevance(relevanceStatement); var dataArray = []; var previousFixletName = 
'<h3>MS00-000: Bulletin name info'; var previousFixlet = [
'<h3>MS00-000', 
'Description']; var currentPatchCount = -1; var PlatformInfo = 
''; 

for (var i = 0; i < results.length; i++) 
{ var currentFixlet = results+.split(
'||').slice(); var currentFixletName = currentFixlet[0]; var previousFixletName = previousFixlet[0]; var fileSize = 
''; 

if (currentFixletName.substr(0, 6) != 
'<h3>MS' || (currentFixletName.substr(0, 12) != previousFixletName.substr(0, 12)))
{ currentPatchCount++; dataArray[currentPatchCount] = currentFixlet.slice(); dataArray[currentPatchCount][1] = dataArray[currentPatchCount][1].substr(0, dataArray[currentPatchCount][1].indexOf(
'<DIV class=FixletProperty>')); dataArray[currentPatchCount][2] = 
''; PlatformInfo = 
'<div style="margin-left: 10px;"><br><b>Applies to:</b><br>'; fileSize = currentFixlet[1].substr(currentFixlet[1].indexOf(
'<H4>File Size:</H4>') + 20, currentFixlet[1].length - currentFixlet[1].indexOf(
'<H4>File Size:</H4>') - 28); PlatformInfo += currentFixletName.substr(currentFixletName.indexOf(
' - ', 13) + 3, currentFixletName.length - currentFixletName.indexOf(
' - ', 13) - 8) + 
' - (' + fileSize + 
')<br>'; previousFixlet = currentFixlet.slice();  
} 

else 
{ dataArray[currentPatchCount][0] = previousFixletName.substr(0, previousFixletName.indexOf(
' - ', 13)) + 
'</h3>'; fileSize = currentFixlet[1].substr(currentFixlet[1].indexOf(
'<H4>File Size:</H4>') + 20, currentFixlet[1].length - currentFixlet[1].indexOf(
'<H4>File Size:</H4>') - 28); PlatformInfo += currentFixletName.substr(currentFixletName.indexOf(
' - ', 13) + 3, currentFixletName.length - currentFixletName.indexOf(
' - ', 13) - 8) + 
' - (' + fileSize + 
')<br>'; dataArray[currentPatchCount][2] = PlatformInfo; 
} 
}   var resultsHTML = 
''; 

for (var j = 0; j < dataArray.length; j++) 
{ dataArray[j][0] = 
'<A name="' + dataArray[j][0] + 
'" href="/webreports?FixletNameBegins=' + dataArray[j][0].substr(4, 8) + 
'&ReportName=Open%20Vulnerabilities%20List&ReportType=tf&page=CreateNewReport2' + 
'" target="_blank">' + dataArray[j][0] + 
'</A>'; resultsHTML += dataArray[j].join(
' ') + 
'</div><br><hr>'; 
} document.getElementById(
'resultsDiv').innerHTML = resultsHTML; 
} </script>

14

(imported comment written by tscott91)

Boo ya!!! This is perfect! You the man!

Thanks fellas!

15

(imported comment written by Lee Wei)

I see from the original post that file size information would be useful, so I have added that as well and updated the report code above.

16

(imported comment written by anthonymap91)

I copied the code above into a blank report. I get the header but nothing else.(not data) Did I miss something?

Thanks,

Anthony

17

(imported comment written by Lee Wei)

anthonymap,

There are 2 areas where we might run into a problem with the code, either the Relevance statement, or the JavaScript.

If you use IE, there might be an error displayed as a yellow triangle at the bottom left. Double-click that to get the error.

For FireFox, the error is in Menu/Tools/Error Console.

To test the Relevance statement, paste it into:

http://your_webreports_server:portnumber/webreports?page=QNA

unique values of (it as string) of (h3 of name of it & “||” & message of it) of bes fixlets whose (source of it = “Microsoft” and name of it starts with “MS” and name of it as lowercase does not contain “corrupt patch” and source release date of it = (first tuesday of month_and_year of current date + 1 * week))

Let me know what you find and we should be able to figure out the problem.

Lee Wei

18

Hi,
How can we configure the report Current Microsoft Security
Bulletins to sent in schedule every time it change (on each Patch
Tuesday to be specific). I can see the source of the web report have
this: relevance first tuesday of month_and_year of current date + 1 * week but don’t know how to used it on the schedule report wizard, relevance area

Test button says:
Q:
E: This expression could not be parsed

19

This looks like a great report but it’s not working for me. I’m able to get the relevance to evaluate properly so its probably some javascript failing somewhere.

20

Hi,

can i have latest file in .besrpt of this report as its failing some where and not able to get the data.

thanks.
Naresh.