We are starting to get reports of machines reporting MS13-091 for Office 2010 (proofing tools KB2760781) , fixlet ID 1309107 as missing where in fact attempts to install the patch results in the message “There are no products affected by this package installed on the system.” Office 2010 SP1 or SP2 is installed. Is anyone else seeing this?
Fixlet relevance evaluates as true (complete statements too big to post in this thread)
The files mentioned in the Microsoft KB http://support.microsoft.com/kb/2760781
do not exist on the system. Attached are the results of an MBSA scan output to XML from an affected system.
We are actually reviewing some fixlets in MS13-091, including fixlet 1309107.
There seems an inconsistency between MBSA and patch behavior itself. We have observed the similar issue in our test environment. It turned out that our environment is missing office 2010 language pack service pack. This affect fixlet 1309109 as well.
We have also released content for office 2010 language pack service pack 1 (KB2460043). Please try to apply office 2010 language pack with at least service pack 1. After that, the MS13-091 patch should be able to install.
Meanwhile, we are reviewing and updating our fixlet to reflects this “prerequisite” to exclude environment without office 2010 language pack SP1. The change will make the fixlet align with patch behavior instead of MBSA report.
Do let me know if the temp wordaround works for you.
Thanks for the update. I can appreciate the problem as MS detection logic still seems to be a black art We also noted that machines reporting relevant for 1309105 (file format convertors) suffered the same as 1309107 in that the patch EXE reports that no qualifying products were detected. For both the fixlets a workaround has been to extract the patch MSP’s from the EXE and install from the MSP which bypasses the WUA pre-requisite checks the EXE performs. Eg for 1309107 we use the following action as these 3 languages are part of our base Office 2010 installation so cause the machine to have the registry keys the fixlet relevance is checking for. We don’t’ install additional language packs
I had look at the fixlet 246004303 and none of the endpoints reporting as relevant for 1309105 or 1309107 report as relevant for fixlet 246004303, but thanks for the suggestion.
Regarding fixlets in MS13-091, there is quite a complexity here.
According to the analysis of the patch itself, the patch is applicable to office 2010 SP1 and SP2 (though no vulnerability in SP2).
By studying the patch behavior, we found that the patch can only be installed when the relevant language pack reaches the target service pack level, e.g. in this case it has to be at least SP1.
Looking into the customer environment, we have encountered another issue: Non-English language pack was installed in English OS. This is against our content structure because our content target patches at OS in the same language. That’s why fixlets for KB2460043 are not relevant for your system.
Your custom copy of 1309105 / 1309107 is working but we cannot guarantee that the vulnerability is patched completely since the patch is not applied by the expected way.
To fully patch the vulnerability, I would like to suggest you to make custom copy for KB2460043 by removing the site relevance and apply the relevant language pack service pack 1.
According to Microsoft Bulletin page, although updates are available for Microsoft Office 2010 Service Pack 2, the software is not affected by the vulnerabilities described in this bulletin. Our content follows patch’s applicability.
the log file shows ms13-091 as relevant and then not relevant (without even running)
Not sure how the log file structures. Will be helpful if you can provide some log.
fixlet debugger shows as true
Our fixlet follows patch’s applicability.
the patch log (msft one, opatchinstall.log) doesn’t show as if anything was installed
It might be because the Action failed.
trying just the single .msp manually (with msiexec logging) as suggested gives these errors in log file
.msp file is targeting particular language. You may want to try to install office language pack service pack by removing the site relevance.
I have proofing pack installed for couple of languages, apparently it’s just Microsoft problem, I’m ignoring this fixlet / KB since I’m patching to office service pack 2,
I understand the limit you have on with how msft describe applicability in their kb.
We also noted that machines reporting relevant for 1309105 (file format convertors) suffered the same as 1309107 in that the patch EXE reports that no qualifying products were detected. For both the fixlets a workaround has been to extract the patch MSP’s from the EXE and install from the MSP which bypasses the WUA pre-requisite checks the EXE performs. Eg for 1309107 we use the following action as these 3 languages are part of our base Office 2010 installation so cause the machine to have the registry keys the fixlet relevance is checking for. We don’t’ install additional language packs