MS09-017 False Positives

(imported topic written by SystemAdmin)

It appears that we are getting alot of false positives from MS09-017. The number has continuously grown larger over the last weeks from <400 to now over 1000. I saw there were some other posts about false positives, I was wondering if anything has been done about this issue?

Thanks,

Scott

(imported comment written by liuhoting91)

We just published a change to

901711 MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install)

but that wasn’t a detection issue. That was responding to what seemed like an unpublished Microsoft binary change on the bulletin.

Are you having trouble across all the different MS09-017 fixlets, or is there one MS09-017 fixlet in particular that seems to be off?

(imported comment written by SystemAdmin)

It is just one MS09-017 fixlet:

MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install) 1,050 / 21,863

Thanks,

Scott

(imported comment written by liuhoting91)

Can you tell us more about those 1,050 machines?

The relevance is based off of the GUIDs here:

http://support.microsoft.com/kb/832672

and those only check for various SKUs of office 2003 and powerpoint 2003. What kind of software is installed on these machines? What versions of office are there? What Windows OSes are those machines running? Things like that.

If you run the following queries, what do you get back?

Q: version of regapp “powerpnt.exe”

Q: version of file “pp7x32.dll” of folder (pathname of parent folder of regapp “powerpnt.exe” & “\XLATORS”)

(imported comment written by SystemAdmin)

Ok here is the information you have requested:

Q: version of regapp “powerpnt.exe”

A: 11.0.8169.0

Q: version of file “pp7x32.dll” of folder (pathname of parent folder of regapp “powerpnt.exe” & “\XLATORS”)

A: 11.0.8161.0

OS WinXP 5.1.2600

OS Plus Service Pack - No WMI - Microsoft Windows XP - Service Pack 2

Microsoft Office Configuration Information Microsoft Office Professional Edition 2003, {90110409-6000-11D3-8CFE-0150048383C9}, PRO11.MSI, “C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9”, 1033

Microsoft Office Deployment Control Network Installation - Office2003

Full Name of Installed Microsoft Office Suite(s) Microsoft Office Professional Edition 2003 (English (United States))

Microsoft Office Installed Components and Service Pack Versions EXCEL.EXE (Office 2003 | Service Pack 3)

INFOPATH.EXE (Office 2003 | Service Pack 3)

MSACCESS.EXE (Office 2003 | Service Pack 3)

MSPUB.EXE (Office 2003 | Service Pack 3)

OUTLOOK.EXE (Office 2003 | Service Pack 3)

POWERPNT.EXE (Office 2003 | Service Pack 3)

WINWORD.EXE (Office 2003 | Service Pack 3)

Microsoft Office Suite Installation Date(s) 11/11/2009

Office Communicator version 2.0.6362.97

Visio Viewer Version Microsoft Office Visio Viewer 2003 (English) | 11.0.3709.5614

Windows Installer Version 3.1.4000.1823

(imported comment written by liuhoting91)

I think based off of the information you’re giving me, that the system is vulnerable to that particular vulnerability. The version of powerpoint is at base SP3 level, and pp7x32.dll isn’t at an up to date version.

Are you just finding that the fixlet is showing up as relevant after you apply the patch? Is applying the patch manually giving you a problem (expected version of the application not found on the system?)

(I think if we can’t solve this problem in one more exchange or so you might want to open a trouble ticket for this)

(imported comment written by SystemAdmin)

HI Bigfix team,

I am also experiencing the same issue but with MS Office Viewers. As a part of my troubleshooting I tried a manual installation on the client pc and getting an error “expected version of the application not found on the system”.