3 Replies Latest reply on May 13, 2008 4:52 PM by oprzybylski

    PATCH MANAGER OFFICE-SCAN Vulnerability

    Apprentice

       

      What is the purpose of it? It is not documented anywhere

       

       

        • 1. Re: PATCH MANAGER OFFICE-SCAN Vulnerability
          zman Master

           

          It is a dependecy for all office patches (This content will scan for Office vulnerabilities.). 

           

           

          Here is the XML for OFFICE-SCAN

           

           

          <?xml version="1.0"?>
          <Vulnerability xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Lang="INTL" Vul_ID="OFFICE-SCAN" Revision="9">
            <Status>Enabled</Status>
            <Patches>
              <Patch Download="DManual" Silent="CRSYes" Reboot="RNo" UniqueFilename="" Hash="" Size="0">
                <Name>OfficeScan</Name>
                <Advanced>
                  <DetectScript>Dim hash
          Dim hash2
          
          Const DllFilename = "LANDeskScan.dll"
          Const DataFilename = "LANDeskScanData.zip"
          
          Main()
          
          Function Main()
              hash = GetFileHashCore(DllFilename)
              hash2 = GetFileHashCore(DataFilename)
          
              Dim path
          
              path = ReadRegValue("HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\vulscan.exe\")
              if Len(path) = 0 Then
                  path = GetAppDataDir
              else
                  lastSlash = InStrRev(path, "\")
                  if lastSlash > 0 Then
                      path = Left(path, lastSlash)
                  End If
              End If
          
              Dim path2
              path2 = path & DataFilename
              path = path & DllFilename
          
              Dim localhash
              Dim localhash2
              localhash = GetFileHashLocal(path)
              localhash2 = GetFileHashLocal(path2)
          
              Dim corename
              corename  = GetCoreName()
              if Len(corename) < 1 Then
                  Report False,  "", "Unable to get core server name from vulscan.exe.  It must be patched with CR81410.", "Vulscan.exe must be updated with patch for CR81410."
                  Log "Unable to get core server name from vulscan.exe.  It must be patched with CR81410. " & "Vulscan.exe must be updated with patch for CR81410."
                  Exit Function
              End If
          
              Dim source
              source = "http://" & corename & "/ldlogon/" & DllFilename
          
              Dim source2
              source2 = "http://" & corename & "/ldlogon/" & DataFilename
          
              Dim succeeded
              Dim alreadyReported
              alreadyReported = False
              if localhash = hash Then
                  succeeded = True
              Else
                  succeeded = DownloadFile(source, path, hash)
                  if succeeded Then
                      Log "Downloaded  " & path
                  Else
                      Log "Warning: Failed to download " & path
                  End If
              End If
          
              if localhash2 <> hash2 Then
                  succeeded2 = DownloadFile(source2, path2, hash2)
                  if succeeded2 Then
                      Log "Downloaded " & path2
                  Else
                      Log "Warning: Failed to download " & path2
                  End If
              End If
          
              If succeeded Then
                  result = CreateProcess("regsvr32.exe", "/s " & Chr(34) & path & Chr(34), True)
                  If result <> 0 Then
                      Report False,  "", "Unable to register LANDeskScan.dll", "Unable to verify scanner existence."
                      Log "Unable to register LANDeskScan.dll. " & "Unable to verify scanner existence."
                      alreadyReported = True
                  End If
              Else
                  Report False,  "", "Unable to download " & source , "Unable to verify scanner existence."
                  Log "Unable to download " & source & ". Unable to verify scanner existence."
                  alreadyReported = True
              End If
          
              Dim hlpr
              on error resume next
              Err.Clear
              set hlpr = CreateObject("LANDeskOfficeScan.LANDeskOfficeScanEn.1")
              if Err.number <> 0 Then
                  if Not alreadyReported Then
                      Report False,  "", "Unable to create object LANDeskOfficeScan.LANDeskOfficeScanEn.1", "Unable to scan."
                      Log "Unable to create object LANDeskOfficeScan.LANDeskOfficeScanEn.1. " & "Unable to scan."
                  End If
              Else
                  Log "created the hlpr instance ok"
          
                  if Not hlpr.Scan() then
                      Report False,  "", "Unable to execute Scan", "Unable to scan."
                      Log "Unable to execute Scan. " & "Unable to scan."
                  end if
          
              End If
          End Function
          
          
          
          Function GetCoreName()
              Dim val
              GetCoreName = CoreServerName
              if Len(GetCoreName) > 0 Then
                  Log "obtaining core server name " & GetCoreName & " from scriptable interface."
                  Exit Function
              End If
              Const strKeyPath = "HKLM\Software\Intel\LANDesk\LDWM\CoreServer"
              val = ReadRegValue(strKeyPath)
              GetCoreName = val
          End Function
          
          
          Function GetAppDataDir()
              GetAppDataDir = ReadRegValue("HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData")
              if Len(GetAppDataDir) > 0 Then
                  GetAppDataDir = GetAppDataDir & "\vulscan\"
              End If
          End Function</DetectScript>
                  <DetectScriptDescription />
                </Advanced>
                <Comments />
                <URL />
                <State>Enabled</State>
                <Files />
                <RegKeys />
                <Products />
                <Platforms>
                  <ID>win2k</ID>
                  <ID>winxp</ID>
                  <ID>win2k3</ID>
                  <ID>winxp-x64</ID>
                  <ID>win2k3-x64</ID>
                  <ID>winvista</ID>
                  <ID>winvista-x64</ID>
                </Platforms>
                <UninstallInfo>
                  <canBeUninstalled>false</canBeUninstalled>
                  <requiresOriginalPatch>false</requiresOriginalPatch>
                  <Files />
                  <RegKeys />
                  <Cmds />
                </UninstallInfo>
                <CustVars />
                <Cmds />
              </Patch>
            </Patches>
            <DependsOn />
            <PublishDate>2007-01-09T19:00:00.0000000-05:00</PublishDate>
            <Title>Office Vulnerability Scan</Title>
            <Description>This content will scan for Office vulnerabilities.</Description>
            <Summary />
            <Severity>5</Severity>
            <Vendor>LANDesk</Vendor>
            <MoreInfoURL />
            <FAQURL />
            <Type>Vulnerability</Type>
            <Groups />
          </Vulnerability>

           

           

           

          • 2. Re: PATCH MANAGER OFFICE-SCAN Vulnerability
            phoffmann SupportEmployee

            In addition to what zman said - some vulnerabilities are too complex or for other reasons need more intelligence to detect them beyond "file X must be version Y" or "Registry key Z must be value BLAH". This is what scripts are used for - Office is a perfect example of a rather complex vulnerability, but various AV-related vulnerabilities use scripts as well.

             

            In short, we use scripts to be able to provide more sophisticated logic to the detection mechanisms as required.

             

            Paul Hoffmann

            LANDesk EMEA Technical Lead.

            1 of 1 people found this helpful
            • 3. Re: PATCH MANAGER OFFICE-SCAN Vulnerability
              Apprentice

               

              My OFFICE-SCAN vulnerability is being detected on 50 machines, but i cannot repair. there is no patch attached to it, i cannot put it in autofix

               

               

              How do I do so that those 50 machines get rid of that vulnerability ?

               

               

              This will be very helpful as any of my Office patches is missing on at least 50 machines even after intensive deployment and a policy-based push for more than 5 months

               

               

              This is making my patch stats looking bad  :_|

               

               

              Olivier