I had multiple failures on this patch. The report on the console server shows the patch as “failed”. The logs on the server show the below. Why doesn’t the console report the patch as “not relevant” instead of “failed” if the server reports it as not relevant?
At 20:38:59 -0500 - mailboxsite (
http://bifix_Server:52311/cgi-bin/bfgather.exe/mailboxsite6248688
)
Not Relevant - MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution - .NET Framework 4 - Windows XP SP2 / 2003 SP2 / Vista SP2 / 2008 SP2 / 7 SP1 / 2008 R2 SP1 (x64) (KB2835393) (fixlet:2188)
To confuse the issue further, I used Windows update on the server to see what it would find as relevant. Is is referencing the same KB article but it is listed as a security update and is not “critical” but “important”. Which one is correct?
What happens when you run that patch manually? I think the reason you’re seeing failures on that patch is that you applied the action but it didn’t make the relevance for that particular fixlet go from true to false on those machines. Something is preventing that patch from being installed properly.
If Bigfix and Windows update are both reporting that the patch is needed on the system, but you’re not able to apply the patch manually or through Bigfix, that’s usually a sign that something is weird with the detection on the Microsoft patch itself.
Thanks for your insight. Since we use .NET for our application, I am guessing you are correct. I am waiting for approval to pull one of these failed machines out of the production pool to test further. I’ll try a manual patch and then turn of Client debug logging if need be.
I ran the manual patch from Windows update that references KB2835393 relased July 9, 2013 which was labeled as “important”. It installed fine. I clicked on more information which brought me to generic page for the patch with reference to KB2861561. This was listed as “critical” with an August date referencing the original July 9th release date which I have to assume was the original (It did not say). I cannot find KB2861561 referenced in the Bigfix console. There are no less than 19 patches all with MS-052. To sort it all out would take much more time than to patch these systems manually and trust the windows update is correct.
Well, I think Microsoft has made itself quite complicated here. KB2861561 is stated in Bulletin page of MS13-052 ( https://technet.microsoft.com/en-us/security/bulletin/ms13-052
). I believe it is an overall description for the Bulletin. For KB2835393 specifically, it is rated as Critical too in the Bulletin page.
Going back to the “failed” status, does it happen after taking action? Has IEM console reported the KB is required by the system?
It will be helpful if you can give me the detailed steps when the issue occurred.
The console identifies multiple systems that MS13-052 (referencing KB2835393) is applicable and it is added to the baseline.
The patch process completes but 15 out of 51 fail.
Failed
MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution - .NET Framework 4 - Windows XP SP2 / 2003 SP2 / Vista SP2 / 2008 SP2 / 7 SP1 / 2008 R2 SP1 (x64) (KB2835393)
When reveiwing the logs on the failed systems, they show the patch as “not relevent”.
Running Windows update on the server show no “critical” patches are required. However, there is a reference to KB2835393 but it is listed as “Important”.
The Windows update patch completes successfully on the failed server.
The console no longer considers the “Critical” patch as relevent on the server that was manually patched with Windows update.
That said, it appears I will need to manually patch these systems using Windows update.
Based on your description, it seems the fixlet Relevance is able to identify the Relevancy from console. But it shows not relevant when deploying the action. This behavior is a bit tricky. Can you try the attached QnA on the failed machine (without patching) to see whether the Relevance is detecting the environment correctly?
Can you pass me the client logs from the failed system? I hope you still have it.
As for the “Severity rating” differences, I cannot do much about it. I have no idea why Microsoft states “Critical” in the Bulletin Page and changes it to “Important” in Windows Update Tool. But we do know that the patch is required by the system.
Meanwhile, you may want to open a support ticket for this issue for further investigation.