MS09-017 False Positives

system 2009-06-03 18:30:27 UTC #1

(imported topic written by SystemAdmin)

I’m seeing a lot of failures in our deployment of the MS09-017 fixlet that pertains to the Office Compatibility Pack (Reference #901736).

We’ve tested the relevance clauses against machines that have failed the deployment. The portions of the relevance that check for versions of Office (Relevance 5) , as well as the versions of EXEs and DLLs (Relevance 6), both report as “True”. In the case of the latter, this can be manually verified as correct.

When we attempted to manually install the update by downloading the patch from Microsoft, the installation failed, stating that the expected version of the software (I’m guessing the Office Compatibility Pack) was not present.

Is this a false positive, or an issue with the fixlet relevance?

system 2009-06-05 15:35:35 UTC #2

(imported comment written by nberger91)

We thought the same at first, check for residual files left from an Office 2003 to 2007 upgrade …

system 2009-06-05 16:30:58 UTC #3

(imported comment written by SystemAdmin)

Can you elaborate?

system 2009-06-05 16:52:11 UTC #4

(imported comment written by nberger91)

We’ve found MS Office 2003 with compatibility pack installed upgraded to Office 2007 report as relevant however the patch doesnt install, yet if you copy over PPCNV.DLL, PPCNVCOM, and PPCVVPXY.DLL from a patched Office 2007 machine, that makes the fixlet non relevant.

According to the Msft bulletin, The files expected on a patched Office 2007 install are the correct versions and address the vulnerability.

Hope that helps.

system 2009-06-05 17:08:50 UTC #5

(imported comment written by SystemAdmin)

Thank you. That sounds like what we’re seeing.

Did you happen to use BigFix to resolve this issue?

system 2009-06-05 17:10:39 UTC #6

(imported comment written by nberger91)

Personally no, however to create a task in BigFix would be easy.

system 2009-06-06 02:33:15 UTC #7

(imported comment written by rwest23)

Though it would now seem that it has mysteriously disappeared, there used to be a note in the

MS09-017 bulletin

stating that it was necessary to apply the Office Compatibility Pack update to Office Suites as well in order that those suites be completely remediated. We built our applicability Relevance according to this specification, but upon closer inspection of the .msp file contained within the patch, it applies to the Compatibility Pack exclusively. We will update the Fixlet to these specifications and publish a new version shortly.

Sorry about the false positives, and thanks for your report. If you have any further issues, please let us know.

Randy

system 2009-10-01 19:34:27 UTC #8

(imported comment written by SystemAdmin)

Hi All,

Does anyone know if this has been completed? We are trying to clean up machines missing patches and are still experiencing the problems listed above.

The relevance for fixlet: MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1/SP2. (fixlet ID: 901736) still reports in true for some machines, but when we try to install the patch manually, we get:

“There are no products affected by this package installed on this system”

Thanks

system 2009-10-01 22:05:33 UTC #9

(imported comment written by liuhoting91)

Yes, this fixlet was revised and republished… here’s the BES Admin Announcement on Fri Jun 5 16:07:24 PDT 2009:

BigFix has modified content in the Patches for Windows (English) / Enterprise Security site. The Relevance in the following Fixlet message has been updated to apply to a narrower range of endpoints in order to avoid false positives:

ID: 901736 MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1/SP2

Patches for Windows (English) / Enterprise Security published version: 1188

If you’re still having problems with this fixlet let us know.

system 2009-10-01 22:40:49 UTC #10

(imported comment written by SystemAdmin)

It seems like this issue still persists. As stated in the previous post, the relevance is returning true for the fixlet, but when I run the hotfix itself, I get “There are no products affected by this package installed on this system”

Thanks

system 2009-10-02 09:15:05 UTC #11

(imported comment written by liuhoting91)

fongrob: I think we’ll need a little bit more information to try to figure this one out…

What products are installed on the affected systems? Was there an office 2003 -> office 2007 migration at one point? are the Office 2007 compatibility packs installed and at what service pack levels are there?

Actually, it might be a good idea to open a support ticket, because it sounds like we’ll need to dive fairly deep. Regardless, I think you’ll want to have that information handy.