Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

MS12-035 and 074 is trying installing every day

Created: 23 Jan 2013 • Updated: 23 Jan 2013 | 14 comments

Dear Symantec,

we have some pilot machines where patches for MS12-035 and 074 are trying to install it every day again and again. Environment is Altiris version 6.0 SP3 R14.

I did investigation and found out that MS13-004 is installed on that machines too. This bulletins replace file system.dll with version 1001.

In the installed rule for MS12-035 is written that version should be lower then 600. I think this is the root cause.

Can you please check it?

Thank you

Comments 14 CommentsJump to latest comment

AmolSontakke's picture

Hi Kada,

It seems that you have problem with MS12-074_NDP40-KB2729449-xXX.exe and MS12-035_NDP40-KB2604121-xXX.exe updates. This issue is due to superscedence information not provided for MS13-004_NDP40-KB2742595-xXX.exe update bulletin page.

To resolve this issue we might have to add some extra supersedence information to MS13-004_NDP40-KB2742595-x86.exe update.

Thanks,

Amol Sontakke

Kada's picture

Hello Amol,

do you think it can be in next PMimport or when and how this can be fixed?

Thank you

AmolSontakke's picture

 

Hi Kada,

The fix will be available in Feb-13 Patch Tuesday Build Release. For fixing this issue we will be adding below additional supersedence information

1)     For MS13-004_NDP40-KB2742595-xXX.exe

Supersedence Information:-

  • MS12-074_NDP40-KB2729449-xXX.exe
  • MS12-035_NDP40-KB2604121-xXX.exe

2)     For MS12-074_NDP40-KB2729449-xXX.exe

Supersedence Information:

  • MS12-035_NDP40-KB2604121-xXX.exe

 

Thanks,

Amol Sontakke

 

STHN's picture

One of our customer is experiencing this, too. Where did you get the information, that this will be fixed on 13 February?

Thanks in advance!

PMCS GmbH & Co. KG - Consulting und Support für Altiris/SEP/EV und andere Symantec Produkte.
Please take the time and mark this post as solution if it solved your problem - thanks!

BugTastic's picture

apparently i need to comment on this field to subscribe to it! pfft.

 

ohzone - CherylPeterson's picture

Hi JoeShmo,

Your can Subscribe without commenting - Click "Subscriptions" at the bottom of the original post and a dropdown menu will give you subscription options. Choose one and click "Update" and you're done.

You can unsubscribe from threads you comment on and don't want update on in the same way - only unchecking the box.

Cheryl

Endpoint Management,
Endpoint Virtualization
Managing Mobility
Community Manager
www.twitter.com/EMnV_symc
Need Altiris help? IRC chat #Altiris

AmolSontakke's picture

Hi All,

After further investigation we found that after latest NDP4.0 MS13-004 update installation, IsInstalled rules of NDP4.0 from MS12-035 and MS12-074 are evaluating to FALSE. This leads to create this issue.

Resolution: IsInstalled Rules for NDP4.0 (x86 , x64) updates from MS12-035 and MS12-074 bulletins are modified accordingly.

Fix PMImport version: X.X.1363.0 (Feb-13 patch Tuesday release) now available publicly.

Thanks,

Amol

 

Kada's picture

Update: new PMimport solve the issue.

But we have another problem with MS13-004 bulletin:

MS13-004 KB2756919 Installed in Altiris Agent. but Vulnerable in MBSA scan. I did check below files for version and they are OK.

 

system.servicemodel.washosting.dll 3.0.4506.4214 32,768 08-Oct-2012 11:01
system.servicemodel.dll 3.0.4506.4214 5,967,872 08-Oct-2012 11:01
servicemonikersupport.dll 3.0.4506.4214 18,040 08-Oct-2012 11:01
         
system.runtime.serialization.dll 3.0.4506.4214 970,752 08-Oct-2012 11:01
system.servicemodel.dll 3.0.4506.4214 5,967,872 08-Oct-2012 11:01

System.IdentityModel.dll is missing in Framework v3.0 but it is in v4.0. Can this be root of the problem?

Thanks a lot

 

AmolSontakke's picture

We have a Windows Vista SP2 machine + .Net 4.0 + .Net 3.5 SP1 installed on it. After MS13-004_ Windows6.0-KB2756919-x86.msu update installation when we run MBSA then it is not showing MS13-004_ Windows6.0-KB2756919-x86.msu as required on the machine.

It would be great if you could provide below information: 

  1. OS along with Service Pack and all software’s installed
  2. File Version and path of  below files
  • aspnet_wp.exe
  • webengine.dll
  • system.web.dll
  • system.dll
  • system.identitymodel.dll
  1. Please attach MBSA result also
  2. Appwiz.cpl of the concerned box with show updates/updates installed checked
  3. Also provide steps for customized installation (if any) of dot net framework on the machine.

Thanks,

Amol

Kada's picture

I had Windows 2008 Standard server SP2 and there was missing:
MS09-048 KB967723
MS13-004 KB2756919
Both was visible in Altiris Agent as Installed, report in Altiris didn't say it is vulnerable. MBSA scan was:
| MS09-048 | Missing | Security Update for Windows Server 2008 x64 Edition (KB967723) | Critical |
| MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 for x64 (KB2756919) | Important |
In Control panel\Programs and Features\Installed updates there was both mentioned as installed.
I tried to install them again manually and now MBSA scan is saying it is installed.

What can be the best solution for it on the rest of machines? How easily I can find how many PC doesn't have some patches installed?
I was thinking to check some of them and in case of missing the same patch setup schedule for specific bulletin to install it every day for example 2 days and check the servers after it.

AmolSontakke's picture

 

Thanks for the provide information.

Could you please provide below information to understand the issue.

This is only for MS13-004_Windows6.0-KB2756919-x64.msu bulletin..

Scenario 1:

Step 1. Update is installed through Altiris Agent, check In Control panel\Programs and Features\Installed updates mentioned as installed. After this please provide the file version for below files at respective location

\WINDOWS\microsoft.net\framework64\v3.0\windows communication foundation\ system.runtime.serialization.dll

\WINDOWS\microsoft.net\framework\v3.0\windows communication foundation\ system.runtime.serialization.dll

\WINDOWS\microsoft.net\framework64\v3.0\windows communication foundation\ system.servicemodel.dll

\WINDOWS\microsoft.net\framework\v3.0\windows communication foundation\ system.servicemodel.dll

Step 2. Check if MBSA is showing, install them again manually and check the MBSA scan result, after this again check below file versions

\WINDOWS\microsoft.net\framework64\v3.0\windows communication foundation\ system.runtime.serialization.dll

\WINDOWS\microsoft.net\framework\v3.0\windows communication foundation\ system.runtime.serialization.dll

\WINDOWS\microsoft.net\framework64\v3.0\windows communication foundation\ system.servicemodel.dll

\WINDOWS\microsoft.net\framework\v3.0\windows communication foundation\ system.servicemodel.dll

Considering without any change on machine in step1 to step2

Scenario 2:

Please check similar Scenario1 on another machine/box. And check similar is the behavior or not? 

Thanks,

Amol

AmolSontakke's picture

For the MS13-004 bulletin...
We have observed that the if we extract update MS13-004_Windows6.0-KB2756919-x64.msu it has three KBs internally.
KB976768 - contains files: webengine.dll, system.web.dll, aspnet_wp.exe
KB980842 - contains files: system.dll
KB2756919 - contains files: system.runtime.serialization.dll, system.servicemodel.dll, system.identitymodel.dll, smdiagnostics.dll, servicemonikersupport.dll

The file system.dll is also present in update MS13-004_Windows6.0-KB2742601-x64.msu at a higher version (i.e. 2.0.50727.4235).

So if MS13-004_Windows6.0-KB2742601-x64.msu is installed first on the system and after that
MS13-004_Windows6.0-KB2756919-x64.msu is installed, then internally, Microsoft does not install KB980842 from Windows6.0-KB2756919-x64.msu as the file is already at a higher version.

However, if we install first Windows6.0-KB2756919-x64.msu on machine and then we install
Windows6.0-KB2742601-x64.msu on machine then MBSA is not showing in that case as required.

Hence, even if MBSA shows the update as not installed on the machine, the system is not vulnerable.

Thanks,
Amol

Kada's picture

Thanks for update.
I did check the Windows Update log and MS13-004_Windows6.0-KB2756919 was installed before MS13-004_Windows6.0-KB2742601.
I have found that KB976768 was installed when I did manually install KB2756919. There was not any message that patch is not applied to the System, I was able to install it manually.
So it seems from some reason KB976768 was not installed within KB2756919.
I am attaching the log from that time.
I will try to ask customer to have one more machine where MBSA report says it is vulnerable.

AttachmentSize
WindowsLog.txt 268.35 KB