MS11-025 - Question about relevance

(imported topic written by Niall.Fraser)

Hi,

I have a question about the relevance of the following fixlet 1102539

MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library could allow Remote Code Execution - Microsoft Visual C++ Redistributable Package SP1 (x64)

Our servers have the non SP1 version of this software - version 10.0.30319 installed and as a result Relevance 5 fails as it checks for a version greater than or equal to 10.0.40219.

However as the SP1 version is newer than the existing one - should this fixlet not install the new SP1 version? Or is it designed to only apply if SP1 is already installed.

As an experiment I copied the fixlet and changed the >= to <= in Relevance 5 and the resulting fixlet became relevant on 48 servers when the existing fixlet was relevant on none.

Can you advise me whether this fixlet is working as it is supposed to - I also looked at fixlet 1102519 MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution - Microsoft Visual C++ 2010 Redistributable Package Gold (x64) which shows as remediated on the 48 servers and it checks for a version of >= 10.0.30319, so this may be as designed, but we are being advised that if we have version 10.0.30319 on a server, it is vulnerable and we need to install version 10.0.40219.

thanks

Niall

(imported comment written by sylviabeing)

Hi Niall,

Do you have any MBSA scan report for your servers?

The Redistributable package could be installed without existence of Visual C++. However, it should not be pushed to any environment.

It will be better if you can run MBSA on the server which you have concern to see what patches are required.

Thanks,

Regards,

Sylvia

(imported comment written by Niall.Fraser)

Hi Sylvia,

I am unable to run the tool you suggest, however I was advised that the newer version of Visual C++ 2010 was required. My amendment to the relevance only involved changing the “>” sign to “<” so the existence of Visual C++ was checked for, it just allowed for older versions of Visual C++ 2010 (10.0.30319) to be updated with the latest version. The relevance would fail if Visual C++ 2010 was not present in registry.

My question was that the relevance appears to be looking for a version of Visual C++ 2010 (10.10.0.40219) or newer to be installed and if it is then it would update any dlls of a lower version to version 10.0.40219. But if that version has been installed then the Dlls are that level anyway so what is the point of the fixlet. My thought was that if it found an older version of Visual Studio C++ 2010, for example 10.0.30319, then it should update it with the newer version, in which case the relevance is wrong.

However I don’t have a lot of understanding about relevance so I may be wrong, but if so can you explain why the relevance looks for the version of the software that the fixlet installs, to be present.

regards

Niall

(imported comment written by BaiYunfei)

Hi Niall,

Sorry if I am wrong, but I guess you are expecting the Fixlet for MS11-025 to upgrade VC++ 2010 from
10.0.30319 to
10.0.40219, i.e. from Gold to SP1, however MS11-025 is not designed to do that. MS11-025 upgrades certain files to fix security vulnerability.

If you would like to apply MS11-025 on VC++ 2010 Gold, use Fixlet
1102519; for SP1, use Fixlet 1102539. The relevance of “version >= X” was by design to distinguish between Gold and SP1, and it remains true after applying MS11-025.

In order to upgrade your VC++ 2010 to SP1, you might want to look at this Fixlet:

983509: Microsoft Visual Studio 2010 Service Pack 1 Available (ID: 98350901)

Thanks!

(imported comment written by Niall.Fraser)

Hi,

thanks you for your answer, which explains things perfectly. Our servers had been showing no fixlets for MS11-025 as relevant, as they had already been patched with Fixlet
1102519 and we were on version

10.0.30319

, but an audit told us that we should be on
version
10.0.40219, which caused me to look into the relevance, and I was not suyrer why the relevance was set to >=, but now I understand why it is set to this.

I have looked at
983509: Microsoft Visual Studio 2010 Service Pack 1 Available (ID: 98350901) but this is only showing as relevant on 2 servers, and it says that it doesn’t actually download anything it’s just for audit purposes.

thanks

Niall

(imported comment written by sylviabeing)

Hi Niall,

The Service Pack 1 of VS 2010 actually requires user interaction. It cannot be installed successfully silently. Therefore IEM only provided audit fixlets.

As for the issue of not relevant on some servers, you may have to provide some data from the not-relevant server and let us have a look.

We will need the registry key exported for native registry:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer”

AND

This query:

Q:Version of regapp “devenv.exe”

Thanks,

Sylvia

(imported comment written by sylviabeing)

One more thing,

The evaluation result of fixlet ID: 98350901.

Regs,