Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Management Community Blog

MS12-060 Compliance Result Dropping Abruptly Since the Latest PMImport

Created: 26 Mar 2013 • Updated: 26 Mar 2013 • 2 comments
Ludovic Ferre's picture
0 0 Votes
Login to vote

I have a customer that is following the compliance status of their computer for MS12-060 in details (as this vulnerability as a high priority in their environment) and yesterday they got back to find out that the compliance status had dropped by about 50% over the week-end.

Looking into the Applicable and Installed update tables they could see that the KB2687441 was on both, so the update was installed and the computer compliant, so why would it show up as not compliant on their report?

We had a remote session this morning and found out the following element:

  • MS12-060 updates were effectively compliant
  • comctl.ocx update applicable were now from:
    • KB2687441 (MS12-060)
    • KB2598041 (MS12-027, superseded by MS12-060)
    • KB2687493 (not associated with any bulletin from the Microsoft site)
  • KB2687493 was not on the installed table
  • KB2687493 was not in the MS12-060 bulletin from Microsoft
  • KB2687493 was associated with MS12-060 in Patch Management
  • KB2687493 was associated with MSWU-732
  • MSWU-732 had no Software Update Policy enabled
  • MS12-060 policy did not contain any update for KB2687493
  • The Patch Assessment Scan does not check this vulnerability and as such cannot report if it is installed or not (by KB).

So, it looks like KB2687493 is incorrectly associated with MS12-060 causing the compliance status to go right out of line.

As a temporary solution we delete the ResourceAssociation that linked KB2687493 to MS12-060. This allowed the customer to run their report and find that the compliance was still on the up (close to 95% now)!

Comments 2 CommentsJump to latest comment

Stefan S.'s picture

We also had a problem yesterday with the mentioned KB. The issue caused several calls to our helpdesk. On the users computer AeXNSAgent.exe process went up to use 50 to 70 % of CPU and therefore computer were running slow.

The Altiris Agent logs showed that it was continuesly trying to download the package which did not exists. We then disabled the bulletin and this solved the issues on the clients....

+1
Login to vote
Ludovic Ferre's picture

This is now resolved in a PMImport.

I have the KB2687493 associated under MS12-060 and showing as supersiding KB2687441.

So the installation should still be done from MS12-060, but via KB2687493, without the compliance problem shown above.

I think the issue came down from troubles we had during the PMImport or else.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

-2
Login to vote