MS12-039 - Fixlet 1203903

system · August 29, 2012, 5:35pm

More an FYI, I have noticed that the Microsoft Lync 2010 Group Chat client will trigger fixlet 1203903 as relevant even though MS12-039 is not for the group chat client. Group chat has an uninstall name of “Microsoft Lync 2010 Group Chat” and has files that match those in the relevance for 1203903 but the patch does not apply to the Group Chat client.

http://www.microsoft.com/en-us/download/details.aspx?id=2651 for the Group Chat client

http://www.microsoft.com/en-us/download/details.aspx?id=11804 for the Hotfix for Group Chat.

Some data that may help.

Q: names of keys whose ((it contains “microsoft lync 2010” AND NOT (it contains “attendee” OR it contains “attendant”)) of (value “DisplayName” of it as string as lowercase)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry as string

A: {6810E961-2D6F-4C55-B0DF-15A543932492}

Q: value “DisplayName” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6810E961-2D6F-4C55-B0DF-15A543932492}” of registry as string

A: Microsoft Lync 2010 Group Chat

Q: ((exists file “Appshapi.dll” whose ((version of it < ")) of it) OR (exists file “FILE_CURes.dll” whose ((version of it < “4.0.7577.4098”)) of it) OR (exists file “FILE_ucaddin.dll” whose ((version of it < “4.0.7577.4087”)) of it) OR (exists file “File_npMeetingJoinPluginOC.dll” whose ((version of it < “4.0.7577.4098”)) of it) OR (exists file “appshcom.dll” whose ((version of it < “4.0.7577.253”)) of it) OR (exists file “appshvw.dll” whose ((version of it < “4.0.7577.253”)) of it) OR (exists file “ocpptview.dll” whose ((version of it < “4.0.7577.4097”)) of it) OR (exists file “ogl.dll” whose ((version of it < “4.0.7577.4098”)) of it) OR (exists file “saext.dll” whose ((version of it < “4.0.7577.253”)) of it) OR (exists file “xceedzip.dll” whose ((version of it < “6.5.10316.0”)) of it)) of (folder (value “InstallLocation” of key whose ((it contains “microsoft lync 2010” AND NOT (it contains “attendee” OR it contains “attendant”)) of (value “DisplayName” of it as string as lowercase)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry as string))

A: True

Q: (pathname of it, version of it) of files (“Appshapi.dll”;“FILE_CURes.dll”;“FILE_ucaddin.dll”;“File_npMeetingJoinPluginOC.dll”;“appshcom.dll”;“appshvw.dll”;“ocpptview.dll”;“ogl.dll”;“saext.dll”;“xceedzip.dll”) of (folder (value “InstallLocation” of key whose ((it contains “microsoft lync 2010” AND NOT (it contains “attendee” OR it contains “attendant”)) of (value “DisplayName” of it as string as lowercase)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry as string))

A: C:\Program Files (x86)\Microsoft Lync Server 2010\Group Chat Client\Appshapi.dll, 4.0.7577.0

A: C:\Program Files (x86)\Microsoft Lync Server 2010\Group Chat Client\appshcom.dll, 4.0.7577.0

A: C:\Program Files (x86)\Microsoft Lync Server 2010\Group Chat Client\appshvw.dll, 4.0.7577.0

Regs

Rob

system · August 30, 2012, 11:42am

(imported comment written by TerryWeiChao)

Hey Rob,

A new relevance was created for fixlet 1203903:

((exists keys ((if (exists key “24DE958ACC2A59F40B48D238385B667A” of it) then (names of values of key “24DE958ACC2A59F40B48D238385B667A” of it) else (“NOT EXISTS UPGRADE CODE”)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes” of native registry) whose ((exists key whose (name of it as string equals “InstallProperties” AND value “DisplayVersion” of it as string as version >= “4.0.7577.0” AND value “DisplayVersion” of it as string as version < ") of it) AND (not exists key whose (name of it as string equals “8D02D65F9344E6042B09548C77B7BFB6”) of key “Patches” of it)) of it)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products” of native registry

Please create a custom copy and replace the existing one with the new relevance. Let me know whether or not this is work for you.

Thanks!

-Terry

system · August 30, 2012, 1:39pm

(imported comment written by SLB)

Hey Terry,

I ran the new relevance in the fixlet debugger on a machine with Group Chat where the MS12-039 fixlet is evaluating as True. It evaluates to False.

Q: ((exists keys ((if (exists key “24DE958ACC2A59F40B48D238385B667A” of it) then (names of values of key “24DE958ACC2A59F40B48D238385B667A” of it) else (“NOT EXISTS UPGRADE CODE”)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes” of native registry) whose ((exists key whose (name of it as string equals “InstallProperties” AND value “DisplayVersion” of it as string as version >= “4.0.7577.0” AND value “DisplayVersion” of it as string as version < ") of key “Patches” of it)) of it)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products” of native registry

A: False

Regs

Rob

system · August 30, 2012, 1:57pm

(imported comment written by TerryWeiChao)

Hey Rob,

Thanks for your feedback! The change has been made into production site. Attach below information just for your reference:

Content in the Patches for Windows (English) has been modified:

Modified Fixlet Message:

MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution - Lync 2010 (ID: 1203903)

Reason for Update:

Fixlet Messages 1203903 was updated because of false positive.

Published site version:

Patches for Windows (English), version 1651

Thanks!

-T