This content has been marked as final. Show 6 replies
Detection issues with MSWU-509 will be fixed in next XML release. Scheduled to be released on 5/12/11
How about the Office Compat Pack 2007 issues?
Looks like this XML is checking for MS11-036 on Office Compatibility Pack 2007 SP2, so that was a false alarm. However, it isn't checking for MS11-036 on Office 2003.
Also, MS11-023 on Office Compatibility Pack 2007 SP2 still seems unneeded.
Looks like MS11-036 is considered effectively installed if you have already installed KB2543241. This goes to my other forum post about whether they are essentially the same hotfix with different packaging. I guess Shavlik has concluded they are.
My question about MS11-023 remains. (Issue present in latest XML .)
So, are you planning to fix the problem with MS11-023 being shown as missing for Office Compatibility Pack 2007 SP2? The security bulletin clearly shows "Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2" under Non-Affected Software.
The reason we check for MS11-023 with the Compatibility Pack, is because the vulnerable code is present on the system, and the patch will apply and fix the vulnerable code.
Microsoft lists the Compatibility Pack as unaffected because the codepath is not executed from the software. However, for Defense in Depth, because the code exists, and the patch will fix it, we show the patch as applicable.
Microsoft does the same; from their website:
I have a non-vulnerable version of software installed, why am I being offered this update?
Some non-affected software, including Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Word Viewer, Microsoft Excel Viewer, and Microsoft PowerPoint Viewer, contain the vulnerable shared component of Microsoft Office, but because they do not access the vulnerable code, they are not affected by this vulnerability. However, since the vulnerable code is present, this update will be offered.