locked
Still finding "high" vulnerabilities when fully patched RRS feed

  • Question

  • Hello everyone,

          We use Tenable Security's Nessus product to identify vulnerabilities on our servers.  After patching fully, I still see several vulnerabilities.  I have discovered that 90%+ are because of third party applications that we aren't currently patching (we will be in the next month or so), but there are some that are Microsoft patches that aren't synchronizing with SCCM and I need help understanding why.  So in short, I'm worried about the 10%.

    2 examples;

    MS12-043; Vulnerability in Microsoft XML Core Services could allow remote code execution
    MS11-025; Vulnerability in Microsoft Foundation Class (MFC) Library could allow remote code execution

    I have SCCM configured to download the following classifications: Critical Updates, Security Updates, Update Rollups, and Service Packs.  I have it configured to not download; Definition Updates, Feature Packs, Tools, Updates.

    I have several Microsoft applications chosen for updates to be downloaded for, but I do not see .NET Framework even in the available list (.NET Framework is one of the things that I need to update per Nessus).

    Any suggestions?

    Thanks

    Tuesday, November 13, 2012 7:44 PM

Answers

  • I do have 12-043 in ConfigMgr. It shows up as a security update. I think these are coming in as part of the OS updates. Are you sync'ing the OS product.

    Here are the details from one of them:

    Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for x64-based

    Bulletin ID: MS12-043
    Article ID: 2721691

    Date revised: Tuesday, October 09, 2012

    Maximum severity rating: Critical

    Description:
    A security issue has been identified in Microsoft XML Core Services (MSXML) that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.

    Applicable languages:
    Chinese (Taiwan)
    Chinese (People's Republic of China)
    English
    French
    German
    Italian
    Japanese
    Korean
    Spanish

    Affected products:
    Windows 7
    Windows Server 2003, Datacenter Edition
    Windows Server 2003
    Windows Server 2008 R2
    Windows Server 2008
    Windows Vista
    Windows XP x64 Edition
    Windows 8 Release Preview
    Windows Server 2012 Release Candidate


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Tuesday, November 13, 2012 9:07 PM
  • Using the KB article you provided in your first post, I found that I had indeed synched it.  So I guess the question is now why in the world my servers aren't using it.  Thank you.  This issue can be closed
    Wednesday, November 14, 2012 4:14 PM

All replies

  • I do have 12-043 in ConfigMgr. It shows up as a security update. I think these are coming in as part of the OS updates. Are you sync'ing the OS product.

    Here are the details from one of them:

    Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for x64-based

    Bulletin ID: MS12-043
    Article ID: 2721691

    Date revised: Tuesday, October 09, 2012

    Maximum severity rating: Critical

    Description:
    A security issue has been identified in Microsoft XML Core Services (MSXML) that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.

    Applicable languages:
    Chinese (Taiwan)
    Chinese (People's Republic of China)
    English
    French
    German
    Italian
    Japanese
    Korean
    Spanish

    Affected products:
    Windows 7
    Windows Server 2003, Datacenter Edition
    Windows Server 2003
    Windows Server 2008 R2
    Windows Server 2008
    Windows Vista
    Windows XP x64 Edition
    Windows 8 Release Preview
    Windows Server 2012 Release Candidate


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Tuesday, November 13, 2012 9:07 PM
  • Yes, I am synching Windows XP, 7, Server 2003, and 2008, 2008 R@.
    Wednesday, November 14, 2012 1:28 PM
  • that's odd. I don't see anything different about what you are doing and what I am doing and I have that update. I only checked for the first one you mentioned.


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Wednesday, November 14, 2012 1:55 PM
  • Using the KB article you provided in your first post, I found that I had indeed synched it.  So I guess the question is now why in the world my servers aren't using it.  Thank you.  This issue can be closed
    Wednesday, November 14, 2012 4:14 PM
  • In the console does the update show as being required? If not I'd get on a server that  Tenable thinks has the update missing, manually hit Windows updates and see if the update shows as applicable there. I've had experiences where a third party audit tool was incorrect.


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Wednesday, November 14, 2012 4:46 PM
  • John,

        Thanks again.  I have actually only made myself that much more confused since my last post.  I have the report on 2 of the servers from Tenable that have a list of 8 vulnerabilities.

    One example is MS11-039.  It says that the KB article is 2514842.  However, when I search Configuration Manager, I can find that I have MS11-039 patches, but none of them are that KB number.  I have 2478656, 2478657, and 2478659.  

    Wednesday, November 14, 2012 6:29 PM
  • All of those KB's have the same MS11-039 number, the difference I see is that the one Tenable says you are missing is applicable to Silverlight, the others are applicable to the OS. Are you sync'ing updates for Silverlight? http://support.microsoft.com/kb/2514842?wa=wsignin1.0 http://support.microsoft.com/kb/2478656 http://support.microsoft.com/kb/2478657 http://support.microsoft.com/kb/2478659

    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Wednesday, November 14, 2012 6:53 PM
  • Thanks again, and I believe that might be my problem on that particular one.

    If I start syncing updates for Silverlight, and then download the patches and add them to an existing group, will they automatically deploy and distribute?  Or do I have to update distribution points?

    Wednesday, November 14, 2012 7:36 PM
  • Actually, I checked and I am indeed downloading updates for Silverlight.  Ugh.
    Wednesday, November 14, 2012 7:50 PM
  • Hmm... I'll try to remember to look tomorrow and see exactly what I'm sync'ing and post it.


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Wednesday, November 14, 2012 10:37 PM
  • Were you ever able to get this resolved?  We use Nessus as well and the guy that handles all of our scans is telling me that we have servers showing the vulnerability for MS11-025, however the machines show that MS11-025 is already installed on the server and if I go to Windows Update directly to search for any required updates, this update does not show.
    Tuesday, March 19, 2013 9:26 PM
  • It's because 3rd party products report by per-BULLETIN for their 'plugin' - check your reporting tool specifically for the installation status of each individual KB listed under "Affected Software" at  http://technet.microsoft.com/en-us/security/bulletin/ms11-025 or More Information at  http://support.microsoft.com/kb/2500212

    Tenable, for me is showing 205 missing patches for MS11-025, but when i pull the sum total of the KB status in WSUS for all of the KB listed for the bulletin, it's showing as less than 205 - hopefully just a reporting disconnect or extra subnet included in the Tenable scan, once we've closed the gap, but that seems the root cause.


    • Edited by Trevor Fondren Wednesday, February 12, 2014 2:23 PM clarifying
    Wednesday, February 12, 2014 2:22 PM