none
WSUS not Synchronizing MS11-025

    Question

  • A vulnerability scan revealed that several Windows 7 machines on my network needed security update MS11-025 (Visual C++ Redistributable). In my case we are:

    1. WSUS is setup to synchronize Windows updates

    2. None of these machines are running Visual Studio (ie only the VC++ redistributable is installed)

    3. WSUS does not show any patches for the security update MS11-025 unless the Visual Studio 2008 is synchronized. http://social.technet.microsoft.com/Forums/en-US/a1086629-e9c4-4d1d-92b8-e4a236b0c0b8/bulletin-ms11025-updates-2538243-2538242-not-listed-in-wsus?forum=winserverwsus

        Unfortunately even if Visual Studio 2008 is selected for synchronization the MS11-025 security update that WSUS imports not the one applicable to a Windows 7 only install of Visual C++.

    Why is this happening? What is the solution and if an update does not appear in WSUS after synchronization is it possible to manually import it and select applicable machines for install?

    Friday, January 24, 2014 4:47 PM

Answers

  • but the VC++ redistributable can exist without Visual Studio.
    Yes, it can; which has absolutely nothing to do with how you get the udpate package(s) synchronized into your WSUS Server.
    Your list of patches specifically states that the redist is found in Visual Studio.
    No. What it says is that you must have the appropriate Visual Studio PRODUCT CATEGORY selected for synchronization in order to get those updates.
    I had a server 2008 R2 OS that needed the update according to Nessus and I manually confirmed that Nessus was correct. This is the patch/update http://www.microsoft.com/en-us/download/details.aspx?id=26368. It is meant for the standalone VC++ redistributable without an installation of Visual Studio.
    Great! In order to get the Microsoft Visual C++ 2008 Service Pack 1 Security Update, you must be synchronizing the Visual Studio product category that provides that security update. That product category (as noted above, in both your original post, as well as my reply) is Visual Studio 2008.

    This update does not synchronize in WSUS. I had to apply it manually. In fact I believe this update is not detected by the Windows Update agent because I had to apply it manually to machines that were updating directly from Mircrosoft.

    The WUAgent can only "detect" updates that have been synchronized to the WSUS Server. If you have not synchronized the update, the WUAgent can't tell you squat about the need, or lack thereof, for that update (until you go to Microsoft Update) -- at which point the WUAgent now has access to ALL product categories and ALL update classifications and what you've synced (or not) to the WSUS server is totally irrelevant.
    Without Nessus I would not have known that this component was out of date.
    This is a great testimony to why an independent security vulnerability scanner should always be used: Because you cannot possibly know about missing updates if the updates aren't on the WSUS server in the first place.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, January 31, 2014 3:57 PM
    Moderator

All replies

  • A vulnerability scan revealed that several Windows 7 machines on my network needed security update MS11-025 (Visual C++ Redistributable).

    There are actually FOUR packages for MS11-025 that are each applicable to four separate instances of a Visual C++ Redistributable, and any one, some, or all can be installed onto any given operating system.

    • KB2538242: for Visual C++ 2005 SP1 (found in the Visual Studio 2005 product category)
    • KB2538243: for Visual C++ 2008 SP1 (found in the Visual Studio 2008 product category)
    • KB2467173: for Visual C++ 2010 (found in the Visual Studio 2010 product category)
    • KB2565063: for Visual C++ 2010 SP1 (found in the Visual Studio 2010 product category)
    Unfortunately even if Visual Studio 2008 is selected for synchronization the MS11-025 security update that WSUS imports not the one applicable to a Windows 7 only install of Visual C++.

    So this analysis is actually part of the core issue. As noted, there are FOUR possible installations of the Visual C++ Redistributable, and any one or all of those four could be installed on a Windows 7 system. So, if the Visual Studio 2008 package (which is for the Visual C++ 2008 SP1 Redistributable) is Not Applicable, then I'd venture a guess that you have one (or more) of the other three packages actually installed on that system.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, January 24, 2014 9:54 PM
    Moderator
  • Hi,

    Any update about the issue? If you need further assistance, please feel free to let us know.

    Regards,

    Yan Li


    Regards, Yan Li

    Monday, January 27, 2014 2:34 AM
    Moderator
  • Lawrence,

    I haven't had a chance to look at these updates again but the VC++ redistributable can exist without Visual Studio. Your list of patches specifically states that the redist is found in Visual Studio. I had a server 2008 R2 OS that needed the update according to Nessus and I manually confirmed that Nessus was correct. This is the patch/update http://www.microsoft.com/en-us/download/details.aspx?id=26368. It is meant for the standalone VC++ redistributable without an installation of Visual Studio.

    This update does not synchronize in WSUS. I had to apply it manually. In fact I believe this update is not detected by the Windows Update agent because I had to apply it manually to machines that were updating directly from Mircrosoft. Without Nessus I would not have known that this component was out of date.

    Monday, January 27, 2014 3:27 PM
  • Yan,

    Any further update on this issue?

    Wednesday, January 29, 2014 3:41 PM
  • but the VC++ redistributable can exist without Visual Studio.
    Yes, it can; which has absolutely nothing to do with how you get the udpate package(s) synchronized into your WSUS Server.
    Your list of patches specifically states that the redist is found in Visual Studio.
    No. What it says is that you must have the appropriate Visual Studio PRODUCT CATEGORY selected for synchronization in order to get those updates.
    I had a server 2008 R2 OS that needed the update according to Nessus and I manually confirmed that Nessus was correct. This is the patch/update http://www.microsoft.com/en-us/download/details.aspx?id=26368. It is meant for the standalone VC++ redistributable without an installation of Visual Studio.
    Great! In order to get the Microsoft Visual C++ 2008 Service Pack 1 Security Update, you must be synchronizing the Visual Studio product category that provides that security update. That product category (as noted above, in both your original post, as well as my reply) is Visual Studio 2008.

    This update does not synchronize in WSUS. I had to apply it manually. In fact I believe this update is not detected by the Windows Update agent because I had to apply it manually to machines that were updating directly from Mircrosoft.

    The WUAgent can only "detect" updates that have been synchronized to the WSUS Server. If you have not synchronized the update, the WUAgent can't tell you squat about the need, or lack thereof, for that update (until you go to Microsoft Update) -- at which point the WUAgent now has access to ALL product categories and ALL update classifications and what you've synced (or not) to the WSUS server is totally irrelevant.
    Without Nessus I would not have known that this component was out of date.
    This is a great testimony to why an independent security vulnerability scanner should always be used: Because you cannot possibly know about missing updates if the updates aren't on the WSUS server in the first place.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, January 31, 2014 3:57 PM
    Moderator