MS11-025 problems

(imported topic written by Niall.Fraser)

Hi, we have had a problem getting MS11-025 to install on some of our servers (win2000, win2003, win2008, win2008r2), using TEM. I currently have 123 instances showing MS11-025 as relevant (a variety of fixlets depending on the OS), but all of these servers have been through several patching cycles where MS11-025 was in the baseline. The same fixlets have installed on other servers though as I have 231 instances of MS11-025 fixlets showing as remediated. We had similar problems with the tool we used before TEM, and also trying to install the MS11-025 patch manually. I was wondering if anyone else had experienced problems with this patch in TEM and if so how they got around the problem. I know it was rereleased and we have been using the rereleased fixlets.

I did a search on this forum but didn’t see any other mention of this problem.

thanks

Niall

(imported comment written by TerryWeiChao)

Hey Niall,

Can you highlight the fixlet IDs in these bulletin? We may want to have a review regarding the fixlets.

Thanks!

(imported comment written by Niall.Fraser)

Hi Terry

the fixlet that is not installing is 1102529 MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution - Microsoft Visual C++ 2008 SP1 Redistributable Package (v2, re-released 6-14-2011)

I have 42 servers that list it as missing even though these have been several times patched before. If I look at the action history I can see that this fixlet is listed as not relevant in the baseline, which is presumably why it does not get installed, yet if I look at the computer and the relevant fixlets, it is listed as being relevant and is also listed as being relevant in the baseline component applicability section.

regards

Niall

(imported comment written by Xie_Ran91)

Can you please check when did you create the baseline? Since there is updated version on this fixlet (the re-released version), if the fixlet is included in the baseline before the update, the baseline will not pick up the update as when you created the baseline, it actually made a copy of the fixlet at that time.

(imported comment written by Niall.Fraser)

Hi,

I made the baseline in June this year (2012) so the updated fixlet was released at the time I created the baseline.

regards

Niall

(imported comment written by Xie_Ran91)

Let me summarize my understanding first as I’m a bit confused, correct me if I’m wrong:

  • There are 123 + 231 endpoints in total that are relevant to the 1102529 MS11-025 fixlet. They were all included in the baseline.
  • 231 of them were patched correctly and “Not relevant” now, and 123 of them are not patched.
  • Out of the 123, you have 42 servers which show “Not Relevant” in the baseline but “Relevant” in the fixlet.

If this is correct, I suggest you copy the relevances of the fixlet and get a problematic machine, evaluate the relevances there and check if all the clauses give you “True”.

(imported comment written by shawnmc)

I too am seeing this problem and I think I see an issue with the fixlet. On Relevance 4 I see the following:

exists key whose (value “DisplayName” of it as string starts with “Microsoft Visual C++ 2008 Redistributable - x86” AND value “DisplayVersion” of it as string as version >= “9.0.30729”) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registry

When looking ad the Add/Remove which ties into the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, my install has the following:

Display Name: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Display version: 9.0.30729.4148

So it looks like it would fail and thus not be applicable. It looks like the fixlet needs to be updated to acccount for this discripancy. I made a rudemntary adjustment, but don’t know if this is the completely correct logic:

exists key whose ((value “DisplayName” of it as string starts with “Microsoft Visual C++ 2008 Redistributable - x86” AND value “DisplayVersion” of it as string as version >= “9.0.30729”) Or (value “DisplayName” of it as string starts with “Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148” AND value “DisplayVersion” of it as string as version >= “9.0.30729.4148”)) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registry