ms12-027

system · April 19, 2012, 7:32pm

(imported topic written by SystemAdmin)

Please review the fixlets released for all MS17-027 vulnerabilities. I am showing discrepancies between TEM and WSUS. I have run the MBSA on the servers with discrepancies and the servers do show vulnerable. So far I have seen problems with KB2598041 and KB2597112.

I believe the product checks for the relevance in these fixlets are incorrect or not complete.

Please place urgency on this issue.

system · April 19, 2012, 10:40pm

(imported comment written by CSL2012)

I too believe the relevance for the MS12-027 fixlets are incorrect. I have servers that have the flagged on Audit Scans that TEM has not detected and research was found that WSUS also indicates that KB2598041 is Applicable.

system · April 20, 2012, 2:00pm

(imported comment written by SystemAdmin)

We are currently looking into this issue. The fix will be available soon.

system · April 20, 2012, 2:15pm

(imported comment written by SystemAdmin)

KB2598041 and KB2597112 both are applicable to a few products. It would be very helpful, if you let us know what applications are installed on your machines.

system · April 20, 2012, 5:21pm

(imported comment written by SystemAdmin)

It appears that a certain version of MS Office 2003 Web Components for Office 2007 is triggering KB2598041. The version is 12.0.6213.1000. According to

http://support.microsoft.com/kb/928116

, this seems to be an Office 2007 product.

Attached are screenshots showing the applicability from MBSA for KB2598041, a screenshot showing add/remove programs, and a screenshot showing the registry values for the Web Components.

For testing purposes I created a copy of fixlet 1202703 and added the following relevance to “Relevance 4”:

(exists key whose (value “DisplayVersion” of it as string as version >= “12.0.6211.1000” as version AND value “DisplayVersion” of it as string as version = “12” as version AND exists value “DisplayName” of it AND (((length of it = 38) AND (it contains “000000FF1CE%7D”) AND ((it = “0000” OR (hexadecimal integer it = 1033)) of last 4 of (first 19 of it)) AND ((it = “001C” OR it = “00A4”) of last 4 of (first 14 of it))) of (name of it))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry)

This seems to more accurately show what I’m seeing in WSUS. Let me know your thoughts. I haven’t had time to tackle KB2597112 yet.

Again, please place urgency on this. We need updated fixlets for this vulnerability ASAP.

Thanks,

Andrew

system · April 24, 2012, 1:16pm

(imported comment written by SystemAdmin)

It seems there is some information inconsistency between the bulletin page and the Windows update.

KB2598041 can be installed on Office 2003 Web Components while KB2597112 can not.

Also on the bulletin page, those patches are applicable to SQL Server, while in our test environment they can not be installed.

The relevance you tried is a correct relevance to detect Office 2003 Web Components.

I have updated the relevance in the fixlet to cover the applicable Office 2007 products. Site version 1589.

system · April 20, 2012, 5:24pm

(imported comment written by CSL2012)

A couple of the servers I was investigating based off of an Audit finding and a comparison to Windows Update showed that KB2598041 (Microsoft Office 2007 Service Pack 3) was Applicable. The servers was found to have Office 2003 Web Components which initially one would think not Applicable nor Relevant. Research into Microsoft’s KB, MBSA, & WU, we found that the Office 2003 Web Components was a sub-component of the Office 2007 Suite thus we ended with the versioning for Office 2003 Web Components starting with a value of ‘12’. Based on past observation, any Office 2003 from a versioning perspective, would begin with a value of ‘11’ to denote. Example: 11.0.8173.0 (Office 2003 SP3) vs 12.0.6425.1000 (2007 Office SP2).

system · April 24, 2012, 11:12am

(imported comment written by SystemAdmin)

You are right about that. Besides the version, the product code for Office 2003 Web Components also follows Office 2007 format.

system · May 9, 2012, 7:16pm

(imported comment written by SLB)

I am also seeing Office 2007 SP1 system report as relevant for this patch. If you try to install the patch, it fails saying that required product is not installed.

The relevance to check for Office 2007 SP2 reports True when SP1 is installed. It doesn’t report True with no Service Pakc installed

Q: (exists key whose ((it = “12” AND it >= “12.0.6213.1000”) of (value “DisplayVersion” of it as string as version) AND exists value “DisplayName” of it AND (((length of it = 38) AND (it contains “000000FF1CE%7D”) AND ((it = “0000” OR (hexadecimal integer it = 1033)) of last 4 of (first 19 of it)) AND ((it = “00A4” OR it = “0026” OR it = “001C” OR it = “0015” OR it = “0013” OR it = “0030” OR it = “0029” OR it = “0016” OR it = “00BA” OR it = “002F” OR it = “0044” OR it = “00BC” OR it = “00A9” OR it = “00A3” OR it = “00A1” OR it = “001A” OR it = “00E0” OR it = “0033” OR it = “0037” OR it = “0018” OR it = “003B” OR it = “003A” OR it = “0035” OR it = “0031” OR it = “0011” OR it = “0014” OR it = “0019” OR it = “0017” OR it = “00CA” OR it = “0012” OR it = “002E” OR it = “0051” OR it = “0053” OR it = “002B” OR it = “001B”) of last 4 of (first 14 of it))) of (name of it))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry)

A: True

T: 26.389 ms

I: singular boolean

These are the key names that cause the relevance to come back as True.

Q: names of keys whose ((it = “12” AND it >= “12.0.6213.1000”) of (value “DisplayVersion” of it as string as version) AND exists value “DisplayName” of it AND (((length of it = 38) AND (it contains “000000FF1CE%7D”) AND ((it = “0000” OR (hexadecimal integer it = 1033)) of last 4 of (first 19 of it)) AND ((it = “00A4” OR it = “0026” OR it = “001C” OR it = “0015” OR it = “0013” OR it = “0030” OR it = “0029” OR it = “0016” OR it = “00BA” OR it = “002F” OR it = “0044” OR it = “00BC” OR it = “00A9” OR it = “00A3” OR it = “00A1” OR it = “001A” OR it = “00E0” OR it = “0033” OR it = “0037” OR it = “0018” OR it = “003B” OR it = “003A” OR it = “0035” OR it = “0031” OR it = “0011” OR it = “0014” OR it = “0019” OR it = “0017” OR it = “00CA” OR it = “0012” OR it = “002E” OR it = “0051” OR it = “0053” OR it = “002B” OR it = “001B”) of last 4 of (first 14 of it))) of (name of it))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry

A: {90120000-0011-0000-0000-0000000FF1CE}

A: {90120000-0015-0409-0000-0000000FF1CE}

A: {90120000-0016-0409-0000-0000000FF1CE}

A: {90120000-0018-0409-0000-0000000FF1CE}

A: {90120000-0019-0409-0000-0000000FF1CE}

A: {90120000-001A-0409-0000-0000000FF1CE}

A: {90120000-001B-0409-0000-0000000FF1CE}

A: {90120000-0044-0409-0000-0000000FF1CE}

T: 24.985 ms

I: plural string

Here is the values of the first key

{90120000-0011-0000-0000-0000000FF1CE}

DisplayName = Microsoft Office Professional Plus 2007

DisplayVersion = 12.0.6215.1000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{90120000-0011-0000-0000-0000000FF1CE}PROPLUS{BEE75E01-DD3F-4D5F-B96C-609E6538D419} shows that the version of Office 2007 is SP1.

DisplayName = 2007 Microsoft Office Suite Service Pack 1 (SP1)

Maybe the relevance needs to check for SP2 or later (ie >= 12.0.6425.1000). Based on http://support.microsoft.com/kb/928116 maybe the info Microsoft provides isn’t 100% accurate.

Regs

Rob

system · May 21, 2012, 8:56am

(imported comment written by SystemAdmin)

The version checking was fixed as well.