MS09-017 - Requires manual download? sha1 never matches fixlet

(imported topic written by ktm_200091)

MS09-017 went out fine when it was initially released until it was modified with the stuff below, I have tried for days to download the file and each time I check the sha1 value it comes up with “4ffed0a0c6b2defb256811883abc2d5ded4579eb” due to desktop churn this patch is steadily growing higher and higher on the unpatched list. What is the recommended action??? Make a copy of the fixlet and modify the sha1 value???

MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install)

Patches for Windows (English)

DescriptionImportant Note: Microsoft is apparently experiencing syncing issues with their download server clusters. As a result, several different versions of the binary deployed by this Fixlet message may be downloaded from the supplied URL at any given time. While this is NOT a BigFix problem and must ultimately be resolved by Microsoft, BigFix is offering the following alternative to ensure successful action deployment:

  1. Using a browser, download the binary deployed by this Fixlet message.

  2. Using sha1.exe (see instructions here), verify that the sha1 of the downloaded file is equal to “e9de540892dcb407d5742497bb012dfab11bad56”. If it is not, repeat step 1.

  3. Once you have successfully downloaded and verified the file, rename it to “e9de540892dcb407d5742497bb012dfab11bad56” and place it in the BES Server download cache. For more information about manually caching file downloads on the BES Server, please see BigFix Support Knowledge Base article #390.

(imported comment written by Jim23)

Yes. If there is a different sha1 value you will need to:

  1. Put it in the cache folder as instructed by the Fixlet (be sure to use the actual sha1 of the file if different than stated in the original Fixlet)

  2. Create a custom copy of the Fixlet and edit the sha1 value of the Fixlet.

I suspect there will be an updated Fixlet for this soon that will reflect the new sha1 value.

(imported comment written by Marty23)

Jim;

do you know that they, Bigfix, is working a replacemnet fixlet and if so do you have any idea on a time frame for it?

(imported comment written by Marty23)

ktm_2000

Did you create the custom copy of the fixlet and get it to work? I’m trying but everytime i deploy it, my test systems reports Status fail, but action script execution detail reads that everything completed. I’m assuming that because the success criteria says “This action will be considered successful when the applicability relevance evalutes to false.” that there is a change tht needs to be made in the relevance.

Marty

(imported comment written by ktm_200091)

Marty,

I made a copy and modified the fixlet to below:

// If the line below fails, please use the “Office 2003 Deployment Control – Initial Assignment” Fixlet message in the BES Support site to configure your Office deployment and then redeploy this action

continue if {exists key “HKLM\SOFTWARE\BigFix\EnterpriseClient\Office2003Control” whose ((it = 3 OR it = 2) of value “DeploymentType” of it) of registry}

download http://download.microsoft.com/download/4/E/2/4E21AFC4-32AB-4F9B-B247-9A800483A800/office2003-KB957784-FullFile-ENU-CSA.exe

continue if {(size of it = 3015576 AND sha1 of it = “4ffed0a0c6b2defb256811883abc2d5ded4579eb”) of file “office2003-KB957784-FullFile-ENU-CSA.exe” of folder “__Download”}

waithidden __Download\office2003-KB957784-FullFile-ENU-CSA.exe /q:a /r:n /c:“msiexec /p POWERPNTNMinus1.msp REBOOT=ReallySuppress /qn”

action may require restart “4ffed0a0c6b2defb256811883abc2d5ded4579eb”

I am getting download failed when I try to apply the new copy.

(imported comment written by Marty23)

i was getting the download failled error too, then I did a sha1 -r on the file and saw that the file size was wrong. The orginal fixlet has it listed as 3015576 but the correct file size is 2895240 So i changed the following line to reflect the correct file size and that went away. But I’m still getting a failed status on my test box after everything completes.

continue if {(size of it = 2895240 AND sha1 of it = “4ffed0a0c6b2defb256811883abc2d5ded4579eb”) of file “office2003-KB957784-FullFile-ENU-CSA.exe” of folder “__Download”}

Here is my whole action script:

// If the line below fails, please use the “Office 2003 Deployment Control – Initial Assignment” Fixlet message in the BES Support site to configure your Office deployment and then redeploy this action

continue if {exists key “HKLM\SOFTWARE\BigFix\EnterpriseClient\Office2003Control” whose ((it = 3 OR it = 2) of value “DeploymentType” of it) of registry}

download http://download.microsoft.com/download/4/E/2/4E21AFC4-32AB-4F9B-B247-9A800483A800/office2003-KB957784-FullFile-ENU-CSA.exe

continue if {(size of it = 2895240 AND sha1 of it = “4ffed0a0c6b2defb256811883abc2d5ded4579eb”) of file “office2003-KB957784-FullFile-ENU-CSA.exe” of folder “__Download”}

waithidden __Download\office2003-KB957784-FullFile-ENU-CSA.exe /q:a /r:n /c:“msiexec /p POWERPNTNMinus1.msp REBOOT=ReallySuppress /qn”

action may require restart “4ffed0a0c6b2defb256811883abc2d5ded4579eb”

(imported comment written by ktm_200091)

Marty,

I found the file size difference as well and am getting the same exact results as you, I’m wondering if the open Quote is in the wrong spot as

waithidden __Download\office2003-KB957784-FullFile-ENU-CSA.exe /q:a /r:n /c:“msiexec /p POWERPNTNMinus1.msp REBOOT=ReallySuppress /qn”

Should be:

waithidden __Download\office2003-KB957784-FullFile-ENU-CSA.exe /q:a /r:n “/c:msiexec /p POWERPNTNMinus1.msp REBOOT=ReallySuppress /qn”

If all else fails you could just extract the .msp file using winzip and make a task with just the end of the statement

“/c:msiexec /p POWERPNTNMinus1.msp REBOOT=ReallySuppress /qn”

(imported comment written by ktm_200091)

nix that idea…

(imported comment written by Marty23)

I still think it has something to do with the Relevance peice of the filxet, but im working remotely today and don’t have full access to my test box to do any debugging

(imported comment written by ktm_200091)

I fired up a vm session and applied the patch manually and the VM session does not report relevant, but if you extract the .exe file with winzip you get POWERPNT.msp not POWERPNTNMinus1.msp

(imported comment written by Marty23)

Thanks for the info, I never throught to look at the files extracted from the EXE. I made the change to the file name in the action script and reaplied it to my test machine and it reports back fixed now!

Now the question is do we deployee it or wait for Bixfix to fix the fixlet?

(imported comment written by ktm_200091)

here’s a winner…

// If the line below fails, please use the “Office 2003 Deployment Control – Initial Assignment” Fixlet message in the BES Support site to configure your Office deployment and then redeploy this action

continue if {exists key “HKLM\SOFTWARE\BigFix\EnterpriseClient\Office2003Control” whose ((it = 3 OR it = 2) of value “DeploymentType” of it) of registry}

download http://download.microsoft.com/download/4/E/2/4E21AFC4-32AB-4F9B-B247-9A800483A800/office2003-KB957784-FullFile-ENU-CSA.exe

continue if {(size of it = 2895240 AND sha1 of it = “4ffed0a0c6b2defb256811883abc2d5ded4579eb”) of file “office2003-KB957784-FullFile-ENU-CSA.exe” of folder “__Download”}

waithidden __Download\office2003-KB957784-FullFile-ENU-CSA.exe /q:a /r:n /c:“msiexec /p POWERPNT.msp REBOOT=ReallySuppress /qn”

action may require restart “4ffed0a0c6b2defb256811883abc2d5ded4579eb”

Too bad my company pays quite a bit of $$$ to Big Fix and then I have to waste hours to troubleshoot the service provided

(imported comment written by Marty23)

Thanks!! that basically what I came up with to. I here you on the $$$, we are in the same boat as you. Iw as also working with support on this issue and I’m not that happy about the response I got from them!