Problems regarding old patches

bjarnigud · May 6, 2020, 1:09pm

Hi,

I have recently encounter some patches that needed a little tweaking to get them up and running. These are relatively old patches for example:

FIXED - MS14-022: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution - SharePoint Designer 2013 Gold / SP1 - KB2752096
FIXED - MS15-081: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2013 SP1 - KB3039798
FIXED - MS14-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2013 SP1 - KB2880463
FIXED - MS15-116: Security Update for Microsoft Office to Address Remote Code Execution - Publisher 2013 SP1 - KB3085561
FIXED - MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution - Office 2013 Gold/SP1 - KB2726958

In all of these cases I had to, make another fixlet (copy the old one ), download the patch ( from the link in the action script), calculate new sha1, sha256 and the change it in the action script. After that bigfix is able to prefetch it and run it.

It looks like microsoft have change the patch on their end and bigfix has not updated the action script.

I was wondering, is bigfix support supposed to fix these patches on their end or will I have to do this manually ? If so do you guys have any better way of doing this?

And another thing, I now that it is probably not Bigfix´s problem but this patch MS15-104: Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege - Lync Server 2013 - OcsCore - KB3080353 (x64) has 404 link.

Best regards
Bjarni Guðmundsson

JasonWalker · May 6, 2020, 2:49pm

Yes, these should get fixed in our content. When Microsoft updates a patch binary but does not publish a new bulletin on it, it may not be detected.

@bma can we have the team check on these fixlets?

bjarnigud · May 6, 2020, 3:22pm

@JasonWalker ok great to hear

While your are at it can you also look at these fixlets?

FIXED - MS14-022: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution - SharePoint Server 2013 Client Components SDK - KB2863854 (x64)
FIXED - MS14-024: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass - Office 2013 Gold / SP1 - KB2760272
FIXED - MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass - Office 2013 Gold/SP1 - KB2910941 (x64)
FIXED - MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2010 SP2 - KB2956076
FIXED - MS15-081: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2013 SP1 - KB3039798 (x64)
FIXED - MS16-004: Security Update for Microsoft Office to Address Remote Code Execution - Office 2010 SP2 - KB2881029

bma · May 6, 2020, 9:38pm

I’ve passed this on to the team.

Regarding the patch for the OcsCore component on Lync Server 2013, it appears that is no longer available from MS.
At least from a quick search, I couldn’t find any alternative links to it, or even any real documentation on it. But I’ve asked the team to take another look at it in case I’ve missed something.

bjarnigud · May 7, 2020, 9:45am

Thank you for your help !

bma · May 7, 2020, 10:41pm

As of the day of the original posting, the team only found about 3 or so of ones from your list that had hash mismatches. They’ll fix those.

The rest seem to be ok, which I’ve also confirmed in my own Bigfix deployment. It’s possibly those may have been fixed since that last time you had deployed those fixlets.

bjarnigud · May 8, 2020, 9:09am

Great thank you ! It could be that you have fixed the fixlet in the meanwhile

bjarnigud · May 19, 2020, 11:37am

Hi

Should I create a support ticket if I encounter some more patches?
Btw.
MS13-091: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2013 (file format converters)
This patch is getting a “HTTP 404 Not Found”

Thank you in advanced

jgstew · May 19, 2020, 1:21pm

I would post in the patch category of the forum and also file a support request, referencing the forum link. A support request is the “real” mechanism, but posting to the forum is also useful in case others are having the same trouble and can confirm / be aware of it.

Mike_Mills · June 24, 2020, 2:55pm

MS13-091: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office 2013 (file format converters)

ID 1309113
Site Patches for Windows
Category Security Hotfix
CVE ID CVE-2013-1324
Download Size 24.87 MB
Source Microsoft
Source ID KB2768005
Source Severity Important
Source Release Date 11/12/2013

Regarding this patch, I just tracked it down as the culprit preventing a huge baseline from working, I kept getting an error when I tried to take the action. Narrowed it down by copying the baseline to a testbase and deleting groups of fixlets until it worked, then repeat until I had only a handful to look at.

The action script has a hard return just before the sha256 part, causing the error

Action1 (default)
Script Type BigFix Action Script

prefetch convintl-en-us_f2f258d741c373be72dd3cc4a39287847cfc7a56.cab sha1:f2f258d741c373be72dd3cc4a39287847cfc7a56 size:733006 http://download.windowsupdate.com/c/msdownload/update/software/secu/2013/10/convintl-en-us_f2f258d741c373be72dd3cc4a39287847cfc7a56.cab
sha256:cd6ed65ad80337c1526170607fe8a72673da150b562a73dde18af139b0c5a66c

waithidden {pathname of system folder & “\expand.exe”} __Download\convintl-en-us_f2f258d741c373be72dd3cc4a39287847cfc7a56.cab __Download\convintl-en-us.msp
waithidden msiexec.exe /p __Download\convintl-en-us.msp /quiet /norestart
action may require restart “f2f258d741c373be72dd3cc4a39287847cfc7a56”

The error I was getting was “one of the actions in this multiple action group contains an invalid action script” . Since this worked fine a month or so ago, I will assume that there was a recent change made and I re-synced it with the current version.

I just opened a ticket with BigFix/HCL so hopefully this will get fixed. Although its a 2013 patch for Office 2013 32bit so they might not prioritize it…