7 Replies Latest reply on Mar 12, 2009 7:08 PM by XLANDMark

    Patch listed with wrong severity?

    Apprentice

      I have noticed several patches than have an N/A severity listing with LANDesk, but a High severity with Microsoft. Can anyone explain?

       

      960715 - Microsoft Security Advisory: Update Rollup for ActiveX Kill Bits
      LANDesk=N/A
      WindowsUpdate=High Priority, Non-Security, Update Rollups

       

      967715 - New How to correct "disable Autorun registry key" enforcement in windows
      LANDesk=N/A
      WindowsUpdate=High Priority, Non-Security

       

      959209 - Microsoft .NET Framework 3.5 Family Update (KB959209)
      LANDesk=N/A
      WindowsUpdate=High

       

      951847 - Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update
      LANDesk=N/A
      WindowsUpdate=Service Pack

       

      955839 - December 2008 cumulative time zone update for Microsoft Windows OS'
      LANDesk=N/A
      WindowsUpdate=?

        • 1. Re: Patch listed with wrong severity?
          mrspike SSMMVPGroup

          Jeremiah,

           

          This has caused some concern for me as well, I do not have all of the answers but will offer what I know, and what I think.

           

          What I know:

           

          On 960715 in the FAQ from MS it states:

          Why does this advisory not have a security rating associated with it?
          This update contains kill bits for third-party controls not owned by Microsoft. Microsoft does not provide a security rating for vulnerable third-party controls.

           

          So while MS thinks this is of high concern it is not rated with a security severity.

           

          I had looked that one up a few months back on an earlier version.

           

          Now, for what I think:

           

          I have found that if you run Windows Update you will often times find items in the Important or High section, that are not always security issues, but may be stability, etc fixes that are important in that stand point, but are not always important for security.

           

          The .Net service packs are in this category, they are service packs that fix known issues, may add additional features, etc, but are not critical to the security of a system.

           

           

          I hope that helps.  We have a policy here to review each patch (as best we can) despite its security rating to determine if we should apply it. We have chosen to install the Active X patches (though it known to affect some application we do not use here).

           

          From time to time, I will build a new system, patch it with LANDesk for all MS Low - Critical rated patches and then I will use Windows Update to see what I "missed" and determine if we should add those to our baseline.

           

          It sometimes freaks a desktop tech out when they run Windows Updates and they see "high" patches in there, though we may have determined that we do not want to install them, etc.

           

          James

          • 2. Re: Patch listed with wrong severity?
            Rookie

            Hello,

             

            I’m bit confused about security because if I check on the adobe flash player it is rated on the secunia website as “highly critical” on the adobe website, rated as “critical” and on Landesk as “medium”.

             

            Image from

            secunia

            secunia_flash.jpg

             

            adobe

            Flash_info.jpg

            landesk

            landesk_flash.jpg

             

            How can we explain that ?

             

            Fbo

            • 3. Re: Patch listed with wrong severity?
              mrspike SSMMVPGroup

              The ADOBERD9v9.1.0_ENU (Adobe Reader) is wrong as well, it is more then critical, but rated medium.

               

              I have sent this and the Flash Player ones to our TAM who is quick about getthing these issues resolved.

              • 4. Re: Patch listed with wrong severity?
                XLANDMark SupportEmployee

                The severity levels for the Adobe vulnerability definitions listed above have been updated to reflect the severity ratings assigned by Adobe. Please redownload content to obtain the updated Adobe vulnerability definitions with the correct severity settings.

                 

                Thanks,

                Mark A

                • 5. Re: Patch listed with wrong severity?
                  Rookie

                  Mark A,

                   

                  Thanks now the FlashplayerV10 and ADOBERD9v9.1.0 is rated as critical but not the previsous version.

                  how do you explain that ?

                  Based ont the Adobe website ALL version of the reader have been impacted.

                   

                  Thanks for your help.

                  fbo

                  • 6. Re: Patch listed with wrong severity?
                    mrspike SSMMVPGroup

                    Adobe has not released patches for versions earlier then 9 at this point, they said those would be coming soon.

                    • 7. Re: Patch listed with wrong severity?
                      XLANDMark SupportEmployee

                      fbo,

                       

                      According to the Adobe site they will provide the fix for 7 and 8 next week.

                       

                      From Adobe security bulletin:

                       

                      Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18.

                      A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates

                      for Adobe Reader 7 and 8, and Acrobat 7 and 8, are available.

                       

                      http://www.adobe.com/support/security/advisories/apsa09-01.html

                       

                      -Mark A