MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure - InfoPath 2007 SP2 ID 1104901
The fixlet installs but returns ‘Failed’, checking the conditions in the relevance, it appears Relevance 5 requires an edit to remove ‘native’
not exists value “DisplayName” whose (it = “Security Update for Microsoft Office InfoPath 2007 (KB2510061)”) of keys of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry
Upon successful installation on (Win7 x64) the key gets written to -
A fix for this particular content item should have gone out just now, at version 1497 of bes security. If you regather, do you still experience this problem?
This is the first time I’ve heard reports about those particular MS11-049 fixlets. If they’re consistently failing on the systems, it sounds like we’ll need to do some investigation to make sure we get to the root of the problem. I think an in depth investigation would be better handled by going through the usual support channels. nberger, kenz, would you guys mind opening up a ticket with the IBM support team?
MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure - SQL Server Management Studio Express (SSMSE) 2005 (Q2546869)
The server says the patch is relevant, so I run the fixlet and then it seems to run fine and then it comes up failed. I look at the log and have the following entry:
Not Relevant - MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure - SQL Server Management Studio Express (SSMSE) 2005
I check windows update and this does not report the patch is needed.
MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure - InfoPath 2010 (KB2510065).
The installation reports as failed and of course still shows relevant. I manually installed on one of the clients. It reported that is is already installed.
Relevance 5(not exists value “DisplayName” whose (it = “Security Update for Microsoft InfoPath 2010 (KB2510065)”) of keys of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registry) is still evaluating true.
If I search the registry for KB2510065 it shows in multiple places such as HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache and HKEY_CURRENT_USER\Software\Classes\Local Settings\Microsoft\Windows\Shell\MuiCache .
It does not show in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall.
We are aware of the problem. We think the problem is that other patches install the fix for this particular patch as well. We haven’t been able to confirm that that was the case, but a few of our tests seem to point to it being a possible issue.
For those that have installed it but fails, do you have the following software installed: Visual Studio, SQL Server?
We think we managed to narrow down the possible problems with this patch. We are currently testing our latest revision, but because there are so many factors that can affect the applicability of this patch, if anyone wants to help test our revised version, that will be great. It is attached with this post.
nberger
Can you add a ‘False’ statement until resolved please.
While I understand your frustration, unfortunately, I do not have the power to change the relevance of this patch to be false until a proper solution is found. The reason is that just because you and a few others are seeing a false positive, it doesn’t mean everyone is seeing a false positive; it is possible that there are others who still haven’t applied this patch and needs it. We rarely will “disable” a Fixlet until a proper solution is found. This decision is usually only made by the PMs when there is A LOT of issues being reported to support. Hopefully, this newly revised version will fix everyone’s issue.
What OS do you have? What architecture (x86 or x64)?
For InfoPath 2010, is it the 32-bit or 64-bit version? Is it the standalone version or is it bundled with Office 2010?
Do you know if the machine has Visual Studio Tool for Application (VSTA) installed?
Do you have Visual Studio installed? If so, which version of Visual Studio?
Do you have SQL Server installed? If so, which version of SQL Server?
Did the system install any other MS11-049 update?
Are you sure you tried applying the revised version (the file attached in the previous post) rather than the original version currently available in Patches for Windows site? It might sound like a stupid question, but you’ll be surprised at how many people still don’t know how to import Fixlets or they used the one available in the site.
Remember, the more information you can provide us, the easier it is for us to narrow down the issue. The problem with this patch is that as long as you have InfoPath 2010 installed, Microsoft will offer it whether or not you need it; you only actually need this patch if VSTA is installed. Additionally, a different MS11-049 patch installs the same fileset as this InfoPath patch, so that is giving us detection issues. So if the more information you can give us, the easier it is for us to try to find the proper solution.
1)For InfoPath 2010, is it the 32-bit or 64-bit version? Is it the standalone version or is it bundled with Office 2010? x64 bundled in office 2010 professional Plus
Do you know if the machine has Visual Studio Tool for Application (VSTA) installed? Its not listed as a separate app in Add remove programs but I believe its included inside office, also all machines have VSTO 3.0
Do you have Visual Studio installed? If so, which version of Visual Studio? VS 2010 Ultimate & vb6 installed but this issue affects all workstations.
Do you have SQL Server installed? If so, which version of SQL Server? SQL 2008 R2 Studio installed but this issue affects all workstations.
Additionally, amongst potential other conditions, we’ve noted this Fixlet becomes relevant on Office 2010 once you have SP1 installed
HOWEVER
when you try and install it manually it returns ‘already installed on system’
version of regapp “infopath.exe” on NON Sp1 = “14.0.4763.1000”
version of regapp “infopath.exe” on Sp1 = “14.0.6009.1000”
Does Relevance 4 (on 32 and 64bit fixlet) need changing to detect specific file versions ?
exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\InfoPath” of x64 registry and exists regapp “infopath.exe” and version of regapp “infopath.exe” = “14” as version
Thanks for answering my questions. It was quite informative. You could be correct about InfoPath 2010 SP0 vs SP1 issue. We’ll investigate it further and we should be able to come up with an update to the Fixlets in a bit. I’ll respond back later with an updated version and hopefully it will solve our problems.