Are there any plans to release a Fixlet for todays Out of Cycle IE Patch?
According to the PCWorld article …
The Fix-It solution only works with 32-bit versions of Internet Explorer, and you must first apply the cumulative update for Internet Explorer from last week’s Patch Tuesday (MS13-069).
We’re looking at this. This is pretty unusual in that it’s not quite an actual IE patch, just a workaround. In general though, we don’t release patches for Microsoft Fix-It solutions or security advisories and just wait for the actual patch from Microsoft to come out, but this might be an exception.
So I haven’t had a chance to completely test this at all yet, but essentially the relevance and actionscript seem pretty simple… The fix it doesn’t actually care if you have the latest version of IE installed or not. Given that, the critical piece of relevance looks something like:
Q: not exist key whose (value “DisplayName” of it as string as lowercase = “cve-2013-3893”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry
continue if {(size of it = 1070080 AND sha1 of it = “57451645b7889e7dc3cf4266791e1d86bc4e1ad0”) of file “
MicrosoftFixit51001.msi
” of folder “__Download”}
//IE must be closed in order to deploy this Fixlet.
continue if {not exists running application “iexplore.exe”}
“You must have security update 2870699 installed for this Fix it to provide effective protection against this issue. For more information about security update 2870699, click the following article number to view the article in the Microsoft Knowledge Base:”
I looked at the relevance for your published SHIM and I do not see a relevance statement that checks to see if MS13-069 is installed first. In my systems that do not have MS13-069 installed the SHIM is reporting as true.
Secondly. per the same page
“By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as
Enhanced Security Configuration
. This mode mitigates this vulnerability.”
How does everyone else read that statement? If you leave the Enhanced Security Configuration enabled, are you 100% protected against this vuln? or do you still need to apply the SHIM?
Yup, we noticed the other ‘prerequisite’ update too, but the actual SHIM workaround is something you can still apply regardless of whether you’re up to date on security patches, so we wrote the fixlet up to mirror Microsoft’s fixit behavior. It’s possible of course to throw the MS13-069 relevance as a prereq anyways, but then you’re missing a whole bunch of endpoints that don’t have MS13-069 won’t report something like this on the console when they need both MS13-069 and the SHIM.
Also this fixit applies to literally all versions of IE and all Windows OSes. Trying to write the “is MS13-069 applied” relevance is going to be pretty tricky in that circumstance. We could have also stuck that kind of a check in the actionscript but then the action becomes almost unreadable.
We thought simple was probably better in this case.
From my personal perspective, I don’t think Enhanced Security 100% protects against the vulnerability. A lot of the mitigating factors on Microsoft’s page tend to say stuff like “yes, this is a mitigating factor if you have users that have fewer rights than full administrative powers, but there might still be an impact.” I’d apply the SHIM.