Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2014-07-16T08:47:38Z by sylviabeing
Niall.Fraser
Niall.Fraser
26 Posts
ACCEPTED ANSWER

Pinned topic MS11-025 - Question about relevance

‏2014-06-04T08:56:58Z |

Hi,

I have a question about the relevance of the following fixlet 1102539

MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library could allow Remote Code Execution - Microsoft Visual C++ Redistributable Package SP1 (x64)

Our servers have the non SP1 version of this software - version 10.0.30319 installed and as a result Relevance 5 fails as it checks for a version greater than or equal to 10.0.40219.

However as the SP1 version is newer than the existing one - should this fixlet not install the new SP1 version? Or is it designed to only apply if SP1 is already installed.

As an experiment I copied the fixlet and changed the >= to <= in  Relevance 5 and the resulting fixlet became relevant on 48 servers when the existing fixlet was relevant on none.

Can you advise me whether this fixlet is working as it is supposed to - I also looked at fixlet 1102519 MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution - Microsoft Visual C++ 2010 Redistributable Package Gold (x64) which shows as remediated on the 48 servers and it checks for a version of >= 10.0.30319, so this may be as designed, but we are being advised that if we have version 10.0.30319 on a server, it is vulnerable and we need to install version 10.0.40219.
 

thanks

 

Niall

  • sylviabeing
    sylviabeing
    148 Posts
    ACCEPTED ANSWER

    Re: MS11-025 - Question about relevance

    ‏2014-06-09T09:11:10Z  in response to Niall.Fraser

    Hi Niall,

    Do you have any MBSA scan report for your servers?

    The Redistributable package could be installed without existence of Visual C++. However, it should not be pushed to any environment.

    It will be better if you can run MBSA on the server which you have concern to see what patches are required.

    Thanks,

    Regards,

    Sylvia

    • Niall.Fraser
      Niall.Fraser
      26 Posts
      ACCEPTED ANSWER

      Re: MS11-025 - Question about relevance

      ‏2014-06-11T14:13:18Z  in response to sylviabeing

      Hi Sylvia,

      I am unable to run the tool you suggest, however I was advised that the newer version of Visual C++ 2010 was required. My amendment to the relevance only involved changing the ">" sign to "<" so the existence of Visual C++ was checked for, it just allowed for older versions of Visual C++ 2010 (10.0.30319) to be updated with the latest version. The relevance would fail if Visual C++ 2010 was not present in registry.

       

      My question was that the relevance appears to be looking for a version of Visual C++ 2010 (10.10.0.40219) or newer to be installed and if it is then it would update any dlls of a lower version to version 10.0.40219.  But if that version has been installed then the Dlls are that level anyway so what is the point of the fixlet.  My thought was that if it found an older version of Visual Studio C++ 2010, for example 10.0.30319, then it should update it with the newer version, in which case the relevance is wrong.

      However I don't have a lot of understanding about relevance so I may be wrong, but if so can you explain why the relevance looks for the version of the software that the fixlet installs, to be present.

       

      regards

       

      Niall

       

       

      • BaiYunfei
        BaiYunfei
        77 Posts
        ACCEPTED ANSWER

        Re: MS11-025 - Question about relevance

        ‏2014-06-13T03:12:34Z  in response to Niall.Fraser

        Hi Niall,

        Sorry if I am wrong, but I guess you are expecting the Fixlet for MS11-025 to upgrade VC++ 2010 from 10.0.30319 to 10.0.40219, i.e. from Gold to SP1, however MS11-025 is not designed to do that. MS11-025 upgrades certain files to fix security vulnerability.

        If you would like to apply MS11-025 on VC++ 2010 Gold, use Fixlet 1102519; for SP1, use Fixlet 1102539. The relevance of "version >= X" was by design to distinguish between Gold and SP1, and it remains true after applying MS11-025.

        In order to upgrade your VC++ 2010 to SP1, you might want to look at this Fixlet:

        983509: Microsoft Visual Studio 2010 Service Pack 1 Available (ID: 98350901)

        Thanks!

         

  • Niall.Fraser
    Niall.Fraser
    26 Posts
    ACCEPTED ANSWER

    Re: MS11-025 - Question about relevance

    ‏2014-06-13T15:47:50Z  in response to Niall.Fraser

    Hi,

    thanks you for your answer, which explains things perfectly.  Our servers had been showing no fixlets for MS11-025 as relevant, as they had already been patched with Fixlet 1102519 and we were on version 10.0.30319 , but an audit told us that we should be on version 10.0.40219, which caused me to look into the relevance, and I was not suyrer why the relevance was set to >=, but now I understand why it is set to this.

    I have looked at 983509: Microsoft Visual Studio 2010 Service Pack 1 Available (ID: 98350901) but this is only showing as relevant on 2 servers, and it says that it doesn't actually download anything it's just for audit purposes.

     

    thanks

    Niall

    • sylviabeing
      sylviabeing
      148 Posts
      ACCEPTED ANSWER

      Re: MS11-025 - Question about relevance

      ‏2014-07-16T08:46:46Z  in response to Niall.Fraser

      Hi Niall,

      The Service Pack 1 of VS 2010 actually requires user interaction. It cannot be installed successfully silently. Therefore IEM only provided audit fixlets.

      As for the issue of not relevant on some servers, you may have to provide some data from the not-relevant server and let us have a look.

      We will need the registry key exported for native registry:

      "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer"

      AND

      This query: 

      Q:Version of regapp "devenv.exe"

      Thanks,

      Sylvia

      • sylviabeing
        sylviabeing
        148 Posts
        ACCEPTED ANSWER

        Re: MS11-025 - Question about relevance

        ‏2014-07-16T08:47:38Z  in response to sylviabeing

        One more thing,

        The evaluation result of fixlet ID: 98350901.

        Regs,