Topic
7 replies Latest Post - ‏2013-10-28T10:01:48Z by sylviabeing
olsonc5891
olsonc5891
23 Posts
ACCEPTED ANSWER

Pinned topic Multiple failures MS13-052-KB2835393

‏2013-10-16T14:51:14Z |

I had multiple failures on this patch. The report on the console server shows the patch as "failed". The logs on the server show the below. Why doesn't the console report the patch as "not relevant" instead of "failed" if the server reports it as not relevant?

At 20:38:59 -0500 - mailboxsite (http://bifix_Server:52311/cgi-bin/bfgather.exe/mailboxsite6248688)
   Not Relevant - MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution - .NET Framework 4 - Windows XP SP2 / 2003 SP2 / Vista SP2 / 2008 SP2 / 7 SP1 / 2008 R2 SP1 (x64) (KB2835393) (fixlet:2188)

  • olsonc5891
    olsonc5891
    23 Posts
    ACCEPTED ANSWER

    Re: Multiple failures MS13-052-KB2835393

    ‏2013-10-16T16:24:26Z  in response to olsonc5891

    To confuse the issue further, I used Windows update on the server to see what it would find as relevant. Is is referencing the same KB article but it is listed as a security update and is not "critical" but "important". Which one is correct?

    • liuhoting
      liuhoting
      79 Posts
      ACCEPTED ANSWER

      Re: Multiple failures MS13-052-KB2835393

      ‏2013-10-17T23:00:21Z  in response to olsonc5891

      What happens when you run that patch manually? I think the reason you're seeing failures on that patch is that you applied the action but it didn't make the relevance for that particular fixlet go from true to false on those machines. Something is preventing that patch from being installed properly.

      If Bigfix and Windows update are both reporting that the patch is needed on the system, but you're not able to apply the patch manually or through Bigfix, that's usually a sign that something is weird with the detection on the Microsoft patch itself.

      • olsonc5891
        olsonc5891
        23 Posts
        ACCEPTED ANSWER

        Re: Multiple failures MS13-052-KB2835393

        ‏2013-10-18T13:01:57Z  in response to liuhoting

        Thanks for your insight. Since we use .NET for our application, I am guessing you are correct. I am waiting for approval to pull one of these failed machines out of the production pool to test further. I'll try a manual patch and then turn of Client debug logging if need be.

        • olsonc5891
          olsonc5891
          23 Posts
          ACCEPTED ANSWER

          Re: Multiple failures MS13-052-KB2835393

          ‏2013-10-18T17:23:39Z  in response to olsonc5891

          I ran the manual patch from Windows update that references KB2835393 relased July 9, 2013 which was labeled as "important". It installed fine. I clicked on more information which brought me to generic page for the patch with reference to KB2861561. This was listed as "critical" with an August date referencing the original  July 9th release date which I have to assume was the original (It did not say). I cannot find KB2861561 referenced in the Bigfix console. There are no less than 19 patches all with MS-052. To sort it all out would take much more time than to patch these systems manually and trust the windows update is correct.

          • sylviabeing
            sylviabeing
            132 Posts
            ACCEPTED ANSWER

            Re: Multiple failures MS13-052-KB2835393

            ‏2013-10-22T10:15:44Z  in response to olsonc5891

            Well, I think Microsoft has made itself quite complicated here. KB2861561 is stated in Bulletin page of MS13-052 (https://technet.microsoft.com/en-us/security/bulletin/ms13-052).  I believe it is an overall description for the Bulletin.  For KB2835393 specifically, it is rated as Critical too in the Bulletin page.

            Going back to the "failed" status, does it happen after taking action? Has IEM console reported the KB is required by the system?

            It will be helpful if you can give me the detailed steps when the issue occurred.

            Regards,

            Sylvia

            • olsonc5891
              olsonc5891
              23 Posts
              ACCEPTED ANSWER

              Re: Multiple failures MS13-052-KB2835393

              ‏2013-10-22T14:25:39Z  in response to sylviabeing

              1. The console identifies multiple systems that MS13-052 (referencing KB2835393) is applicable and it is added to the baseline.

              2. The patch process completes but 15 out of 51 fail.

              3. Failed MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution - .NET Framework 4 - Windows XP SP2 / 2003 SP2 / Vista SP2 / 2008 SP2 / 7 SP1 / 2008 R2 SP1 (x64) (KB2835393)

              4. When reveiwing the logs on the failed systems, they show the patch as "not relevent".

              5. Running Windows update on the server show no "critical" patches are required. However, there is a reference to KB2835393 but it is listed as "Important".

               6. The Windows update patch completes successfully on the failed server.

              7. The console no longer considers the "Critical" patch as relevent on the server that was manually patched with Windows update.

              That said, it appears I will need to manually patch these systems using Windows update.

              • sylviabeing
                sylviabeing
                132 Posts
                ACCEPTED ANSWER

                Re: Multiple failures MS13-052-KB2835393

                ‏2013-10-28T10:01:48Z  in response to olsonc5891

                Hi Sorry for the late reply.

                Based on your description, it seems the fixlet Relevance is able to identify the Relevancy from console. But it shows not relevant when deploying the action. This behavior is a bit tricky. Can you try the attached QnA on the failed machine (without patching) to see whether the Relevance is detecting the environment correctly?

                Can you pass me the client logs from the failed system? I hope you still have it. 

                As for the "Severity rating" differences, I cannot do much about it. I have no idea why Microsoft states "Critical" in the Bulletin Page and changes it to "Important" in Windows Update Tool. But we do know that the patch is required by the system.

                Meanwhile, you may want to open a support ticket for this issue for further investigation.

                Regards,

                Sylvia

                Attachments