Undetectable Patches
MBSA, SMS, and SUS might not detect Microsoft's latest security patches: Microsoft Security Bulletins MS04-027 and MS04-028.
September 20, 2004
If you use Microsoft Baseline Security Analyzer (MBSA), Systems Management Server (SMS), or Software Update Services (SUS), be aware that they might not detect Microsoft's latest security patches, Microsoft Security Bulletin MS04-027 (Vulnerability in WordPerfect Converter Could Allow Code Execution--884933) [http://www.microsoft.com/technet/security/bulletin/MS04-027.mspx] and Microsoft Security Bulletin MS04-028 (Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution--833987) [http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx]. As you know, MBSA can detect whether a given system has particular patches installed. SMS relies on MBSA for some of its patch scanning functionality.
MS04-027, which Microsoft deems an important patch to apply, addresses problems with the WordPerfect file-format conversion tool. MS04-028, which Microsoft deems critical, addresses problems with JPEG Graphics Development Interface Plus (GDI+). If after reading the bulletin, you're uncertain whether any of your systems have an application that uses GDI+, you can download a GDI Detection Tool from Microsoft that will help you determine which of your systems might be affected. Read more about the tool in the Microsoft article "Description of the Microsoft GDI+ Detection Tool: September 14, 2004" [http://support.microsoft.com/?kbid=873374].
In a post to the Patchmanagement mailing list [http://marc.theaimsgroup.com/?l=patchmanagement&m=109537004526326&w=2], Microsoft employee Doug Neal (who works on the MBSA team) clarified that indeed MBSA might fail to determine whether the patches are installed. Neal said MBSA might not accurately detect the new patches because of the diverse number of system configurations that are affected.
In his message to the list, Neal said that, "For MS04-028, there are 26 various patches depending on which of 45+ operating systems, IE versions and Microsoft products are present on a machine.... As significant as this GDI+ vulnerability is, there was simply no way MBSA could authoritatively cover all possible cases and provide the correct patch status for every case." When MBSA can't determine the installation status for a given patch, it will return a note message to the administrator that indicates the need for further review. The note might include reference data, such as a Microsoft article number. The Microsoft article "Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates" [http://support.microsoft.com/?kbid=306460] provides more information. However, Neal also said that, "MBSA does not support MS04-027, so there will be no patch status returned for this bulletin (not even a Note message since the WordPerfect Converter is not a supported MBSA component)."
At the time I wrote this editorial, information in the MS04-027 bulletin contradicted Neal's statement. The FAQ section of the bulletin contained the following question and answer:
Q: Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
A: Yes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site
The contradiction between the bulletin and Neal creates a bit of confusion. In addition, several members of the Patchmanagement mailing list have expressed their own frustration and concerns in trying to determine which systems need to be patched.
For the MS04-028 patch, MBSA will return a note message, but according to Neal, it will only do so for systems running Windows Server 2003, Windows XP release to manufacturing (RTM) and Service Pack 1 (SP1), and Microsoft Internet Explorer (IE) 6.0 SP1. Neal said that "All other platforms receive no note message, no warning, and no indication of update status." So be aware of these caveats.
The two bulletins do note that patch detection might not be 100 percent thorough. They both have a section titled "Systems Management Server" near the end that says, "Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems."
The bulletins go on to point out that you can use the SMS software distribution feature; "Deploying Software Updates Using the SMS Software Distribution Feature" [http://www.microsoft.com/technet/prodtechnol/sms/sms2003/patchupdate.mspx] provides details about that feature. Other links are also provided in the SMS section of the bulletins for other situations that might arise. Be sure to read the articles for complete details.
On a brighter note, Neal did add that "Microsoft is committed to consolidating on Windows Update Services (WUS) technology to give customers consistent results across the board." You might want to read Neal's entire message on Patchmanagement. It contains other information that helps clarify and summarize what you might expect to encounter while rolling out the new patches.
About the Author
You May Also Like