Patch Management Solution

Symantec Patch Management may not detect the following vulnerability.

MS15-101: Description of the security update for the .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: September 8, 2015

On the same system, Microsoft Security Base Analyser 2.3 and Qualys both detect this vulnerability.

This could be caused by the .NET 3.5.1 feature not being installed, but the files residing on the hard drive.

Reviewed the IsApplicable=TRUE rule logic; confirmed targeting is in order as outlined per MS15-101.

Ensure that the vulnerable version of .NET is installed to at least 4.5, 4.5.1, 4.5.2 & 4.6 per Microsoft linked above.

Please review MBSA targeting with Microsoft for it appears there is a discrepancy with what has been outlined as vulnerable target logic for this Software Update and what their tool is checking.

This is documented on TECH232960.

We have confirmed that Symantec Management Platform is targeting incorrectly for MS15-101.

1. Installed Windows Server 2008 R2 SP1 with no network connection. This is out-of-box. Not updates or features applied.
2. Verified the version of System.Drawing.dll (2.0.50727.5420)
3. Downloaded Windows6.1-KB3074543-x64.msu.
4. Successfully executed Windows6.1-KB3074543-x64.msu (update installed).
5. Successfully executed Windows6.1-KB3074543-x64.msu (update already installed message presented).
6. Verified the version of System.Drawing.dll (2.0.50727.5492)

If a vendor patch changes something on the system, it IS applicable. Wouldn't this point to an incorrect applicability rule?

Agreed the MS15-101 article does not state things that are in-line with what actually happens with the update. But it is clearly visible that the patch can be applied to the system and does change files.

I would also suggest not to use logic as produced by an article. Instead, test the update on the system the consumer is using. It took me less than 10 minutes to spin up an out-of-box VM to prove the patch is applicable.

Please correct TECH232960.

It is the public documentation from the vendor that is what determines the rule logic target for updates. In this case MS15-101 details that .NET 2.0 is 'Not Applicable' and will not be targeted by Software Updates bundled in MS15-101 per Microsoft.

Unfortunately, development isn’t able to test every version of a Software if the vendor publication doesn't document the vulnerability, and if a test of the update does install on a version not documented by the vendor for IsApplicable; Patch Management Solution cannot modify the rule to include that version for IsApplicable=TRUE as it is not technically supported per the vendor's publicized documentation.

To reiterate; Patch Management Solution will only target what the vendor publically documents applicable.

In this case, the vendor, Microsoft, needs to advise why the documentation doesn’t show that .NET 2.0 is targeted and modify the article, or they need to modify the rule logic for targeting IsApplicable=TRUE in MBSA.

Please review with Microsoft to obtain their official response regarding MS15-101 targeting.

If Microsoft modifies the rule logic to target MS15-101 to update .NET 2.0; the targeting rule logic will be revised for MS15-101 in Patch Management Solution and TECH232960 will be updated.

Documenation can include different types of media, such as an article or downloadable files (MSU's, pictures, videos, etc.). Documenation cannot be only verbiage. In this case, Microsoft provided an article that included the patches.

From your explanation, is it correct to say that Symantec Patch Management rules are not based on the bits and bytes changed by the actual patch, but instead on the verbiage used in their documenation only.

Can you confirm the same?

Thank you, in advance.