1 Reply Latest reply on Nov 22, 2011 3:53 PM by historicalshavlikemployee

    MS11-004 Detection Logic

    Master
      Dear Shavlik Staff and community members,

      I would like to know if someone faced the same issues.

      I have a couple Windows 2008 R2 Service Pack 1 servers in my environment.

      Only one of them has IIS`s FTP Service installed.

      For that one, Shavlik properly detects that the patch is Missing because the DLL version existing on the server has an older version than the expected for a patched server:

      Item Class="Patch" BulletinID="MS11-004" BulletinTitle="Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)" SQNumber="Q2489256" BulletinUrl="http://www.microsoft.com/technet/security/bulletin/MS11-004.asp" Superseded="0" DownloadURL="" PatchName="Windows6.1-SP1-2008-R2-KB2489256-x64.msu" SeverityID="Important" Description="This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS." ShavlikPatchComment="" Status="Missing" Reason="File version is less than expected. [C:Windowssystem32INETSRVFTPCONFIGEXT.DLL 7.5.7600.14294 < 7.5.7601.17550]"

      For the remaining servers with the same operating system version and same service pack level, Shavlik detects the patch as Effectively Installed, althought the patch has never been installed and the FTPCONFIGEXT.DLL doesnt even exists on the file system because as I mentioned before, they do not have the FTP service installed.

      Item Class="Patch" BulletinID="MS11-004" BulletinTitle="Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)" SQNumber="Q2489256" BulletinUrl="http://www.microsoft.com/technet/security/bulletin/MS11-004.asp" Superseded="0" DownloadURL="" PatchName="Windows6.1-SP1-2008-R2-KB2489256-x64.msu" SeverityID="Important" Description="This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS." ShavlikPatchComment="" Status="EffectivelyInstalled" Reason=""

      The only location that a file called FTPCONFIGEXT.DLL exists on those servers is:
      c:windowswinsxsamd64_microsoft-windows-iis-ftpsvc_31bf3856ad364e35_6.1.7601.17514_none_a8911c01ac406d53ftpconfigext.dll

      That file has the exact same version(7.5.7600.14294) of the file found on the server that Shavlik detected the patch as missing.

      Shouldn`t the patch be considered not Relevant for those servers instead of Effectively Installed? Is it just considering Servers without the FTP service installed as patched(Effectively Installed)? If that is so, that would be a problem because: 1) for tracking purposes, the servers have never been patched and the tool is telling that they have. 2) if someone ever comes to install the FTP service on those servers, it will be running using an older dll, therefore unpatched/vulnerable.

      XML version used: 2.0.0.1022

       
        • 1. Re: MS11-004 Detection Logic
          Master

          Generally effectively installed means the scanner passed affected product but failed to find the associated file detection. In this case the patch is an OS patch so the affected product is Windows Server 2008 R2. It then uses the file detection to determine if the patch is missing or installed. if it doesn’t find it then it says its effectively installed. So FTP is later enabled and the file is installed on the system a rescan will then check the file version of the newly added file and will show patch as missing. In short the file detection is another form of dependency check. Hope that helps.