Date: Wed, 15 Feb 2006 10:07:36 -0800
From: "Brian Boner" <BBoner@tbgfinancial.com.>
To: <bugtraq@securityfocus.com.>, <vuldb@securityfocus.com.>
Subject: Bugs/Security issues with PatchLink's Update Server
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-OriginalArrivalTime: 15 Feb 2006 18:08:05.0416 (UTC) FILETIME=[C4A3EA80:01C6325A]
X-Virus-Scanned: antivirus-gw at tyumen.ru
Security Focus,
I have been reporting issues to PatchLink Support for two years now with =
little & no resolution on most of the things I find. Because they are =
such a large patch management platform I think it is important that they =
be responsible for their coding practices. But even trying to work with =
the company directly, they are not fixing the issues that have plagued =
their system for a long time now, including fundamental flaws in vulnerabil=
ity detection.
For each entry, I am including my internal tracking number then their =
ticket number if one was generated and then a short text about the issue. =
As an example:
PatchLink Issue #10 - #8712 - Adding Domain users causes the Status screen =
to display unexpected text.
The 10> is my tracking number & #8712 is a ticket with PatchLink Support.
So if you ever needed the e-mail trail, I'd be happy to forward it to you. =
All I would need is my tracking number. I've recorded all calls & =
e-mails in my tickets.
I am going to add all relevant tickets/issues I have with Update Server. =
Use what you deem appropriate. Since this is my first time writing to a =
company/forum like this, could you please let me know what happens next to =
the information I provide in this e-mail? As an example, where would I go =
to see what your company has published?
My company uses:
PLUS (PatchLink Update Server) version: 6.2.0.189
Update Agent version: 6.2.0.181
The PLUS server is joined to a domain.
10> Opened 2004/08/04 - Closed xxxx/xx/xx - #8712 - Adding Domain =
users causes the Status screen to display unexpected text.
Note: This issue is about the gibberish that returns when granting domain =
users access to the application. When adding more than one person, the =
wizard does grant individuals to the incorrect roles/groups to individuals.=
This wizard does not work properly. It can grant some users more access =
than the admin intended.
30> Opened 2005/01/13 - Closed xxxx/xx/xx - #8716 - How machines =
appear in the patched status for the most current service packs as well as =
previous service packs.
Note: This issue is the fact that the Update Server application does =
incorrect counting. As an example, and this happens for sure with Windows =
& the Novell Client, If you had 10 Windows 2000 Professional machines with =
Service Pack 4, 8 Windows 2000 Professional machines with Service Pack 3, =
6 Windows 2000 Professional machines with Service Pack 2 & 4 Windows 2000 =
Professional machines with Service Pack 1... you would receive the =
following report:
Windows 2000 Professional machines with Service Pack 1 =3D 28 (4 + 6 + 8 + =
10)
Windows 2000 Professional machines with Service Pack 2 =3D 24 (6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 3 =3D 18 (8 + 10)
Windows 2000 Professional machines with Service Pack 4 =3D 10 (10)
35> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Security issue, =
granting one drop down menu will give all drop down menu with the =
inventories.
Note: The Inventory section of Update server consists of 4 sub-sections, =
Operating Systems, Software, Hardware & Services. Operating Systems is =
the default page. In the administration portion of Update Server I can =
individually grant & revoke access to these pages to a role. Yet the =
application does not work the way it should. If Operating Systems is =
revoked but any of the other options are allowed, the end-user will not =
gain access to the Inventories section because Operating Systems is always =
the default. Additionally, if Operating Systems is allowed and one of the =
other options, then access to all 4 will be allowed.
36> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Missing the =
option to grant Mandatory pages to roles.
Note: Within the admin/option portion of the application, the Mandatory =
page cannot be granted or revoked from a user. All other pages for a =
group are controllable.
40> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: =
List applications that ARE installed on a server.
Note: This patch management product cannot display what products ARE =
installed. In a comparison with Shavlik's HFNetChk, this product can tell =
you which version of MDAC is installed as well as any other product =
HFNetChk can patch on the other hand Update Server cannot.
43> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: =
In the deploy wizard, use hierarchical grey check boxes.
Note: I thought this one might be useful to add to this list. If it =
isn't, disregard it. Many mistakes have & can be made because there are =
long lists of patches and each company must be checked in certain =
situations. I offered this suggestion as a product enhancement.
44> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add =
KB832414 (as 823490). This is for MSXML 2.6.
Note: Update Server does not support the latest service pack for MSXML =
2.6. This leads companies to a false sense of security.
45> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add =
KB887606. This is for MSXML 2.6, MSXML 3.0 Service Pack 3 & MSXML 4.0.
Note: This request is to add a hotfix patch.
46> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: =
Have a logout feature.
Note: This product does not have a log out feature. As an example, If two =
sessions of Internet Explorer are open, one to the PLUS server & another =
to www.msn.com. Then if the user closes the window to the PLUS server & =
leave the workstation un-locked. A second user can walk up Press CTRL-N =
on the www.msn.com window and gain access to the PLUS server if they type =
the URL in the browser's address bar.
47> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Why =
doesn't Adobe Acrobat and patches uninstall when I choose that option in =
the baseline?
Note: The PLUS server cannot uninstall Adobe Acrobat even though it is an =
option on the patch.
49> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Tim & I =
believe that MS04-030 has a PatchLink pop-up that can be removed for Win2k =
and possibly WinXP.
Note: This patch does not act silently when the option to do so is set. I =
have been un able to test this patch for a long time now.
51> Opened 2005/10/26 - Closed xxxx/xx/xx - #001-00-006110 - 'Novell =
2971589 Novell Client 4.91 Update 'A'' is automatically restarting =
workstations and the re are no event logs of the install.
Note: The deployment of this patch automatically restarts clients when the =
option to not do so is set. Additionally it seems that the Novell Patch =
does not add any events to the Application Event Log.
52> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006346 - SQL =
Server Desktop Engine (MSDE) 2000 SP4 not detected for all SQL installation=
s (total missing =3D 7).
Note: Update Server has absolutely no way of detecting non-default =
installations of MSDE & SQL Server. This leads to a false sense of =
security especially if this is your only patch management solution. =
Additionally PatchLink do not publish this limitation to the public.
53> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006347 - HFNetChkPr=
o detects that MDAC 2.8 SP1 is needed for JMCGUIRE. Update Server says it =
is installed.
Note: Update Server cannot correctly detect the need to install this =
patch. I had a machine that had MDAC 2.8 SP1 but somehow one or two files =
that were replaced by older versions. HFNetChk detected this situation =
but Update Server said the machine was patched.
55> Opened 2005/11/03 - Closed xxxx/xx/xx - #001-00-007183 - Feature =
Enhancement: Add 'Idle' & 'Working' to "Computers" "Status" drop-down.
Note: I consider this a bug. In the Computers section, 5 options are =
allowed in the "Status" drop down (--- All *-, Enabled, Sleeping, Offline, =
Disabled). Yet in the Status column which this associates with there are =
5 possibilities (Idle, Offline, Working, Sleeping & Disabled).
57> Opened 2005/11/08 - Closed xxxx/xx/xx - #001-00-006499 - Outlook =
2003 Junk E-mail Filter Update KB906173 (October 2005) is being offered to =
machines that have Outlook 2003 installed. While, Windows/Microsoft =
Update offers this patch to any machine with Office 2003 installations =
that do not have Outlook 2003 installed.
Note: I don't know why PatchLink as a company wouldn't add this patch or =
mimic the way Microsoft detects it with Windows update or Microsoft =
Update. they have refused to add this. I am quite positive that it is =
due to the fundamental flaws with the detection engine Update Server uses. =
I also assume that If Office 2003 is installed on a machine without =
Outlook, Windows/Microsoft Update will still install the patch in =
anticipation of Outlook being added (or something like that).
58> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007041 - Product =
Enhancement: Add sorting by red R & green C column.
Note: I consider this a bug. All other columns are sortable, why not this =
one. I use it all the time to try to differentiate between machines that =
need a restart & those that don't.
60> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007186 - Request =
Microsoft XML Parser (MSXML) 2.6 SP3 to be added to the database.
Note: PatchLink seems to no longer be supporting a product they already =
support. They do not offer the latest service pack for this application. =
They do offer prior service packs. This can lead companies into a false =
sense of security.
61> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007042 - BUG: When =
hovering over a machine's icon while in a Mandatory Baseline for a User =
created group when a assigned patch has been expanded, the date & time of =
the last connection are not available.
Note: This is a self-explanatory bug.
62> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007073 - Typo: =
Extra space in MS05-031 text string
Note: The text for all patches but this one are exactly the same if you =
viewed from a web page OR from the Export of a mandatory baseline. I use =
the Exports to show configuration changes. But when I use an exported =
spreadsheet & I copy a cell with a patch name and the paste it into the =
find window box of Internet Explorer when I am in the section to add or =
remove patches from a baseline... the pasted text does not match the name =
in the list. This is not an Internet Explorer issue because the extra =
space is in the middle of the text. PatchLink Support is refusing to add =
a (Rev 2) to this patch like they have done with other patches.
63> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007074 - Issue =
with MPSB05-07 Flash Player 7 patch & Update Servers' deployment
Note: This is a really big issue I have with PatchLink as a company. When =
this patch came out (http://www.macromedia.com/devnet/security/security_zon=
e/mpsb05-07.html) PatchLink as a company decided to not offer the patch =
that fixed this situation. Macromedia offers this patch as well (http://ww=
w.macromedia.com/cfusion/knowledgebase/index.cfm?id=3Dd9c2fe33). Instead =
PatchLink packaged Macromedia's Flash Player 8 as the patch that fixed =
Flash Player 7. They did note this in their Description. But if you =
install their patch, vulnerable files still exist on the client that was =
"patched". It is impossible to patch the vulnerable Flash Player 7 files =
using Update Server. I have issues because they made a decision to patch =
a product with a new version of the application. I have issues with =
PatchLink because this issue was raised to them and they have done nothing =
about this. I have issues with their naming scheme because the patch name =
suggests that it will patch Flash Player 7 when it doesn't do this at all. =
Note: In prior upgrades of Flash Play the old version was removed. When =
Flash Player 8 came out, this no longer happened.
64> Opened 2005/12/16 - Closed xxxx/xx/xx - #001-00-007528 - Trying to =
figure out why SQL Server patches are reported as missing
Note: From PatchLink: This is a known issue. A missing registry key =
produces a false negative.
Well there you have it. I hope that these qualify as bugs & security =
vulnerabilities that can benefit bugtraq. So as I asked before, could you =
let me know what is going to happen to this information now that you have =
it? Could you give me a URL that shows me where this information went to?
Regards,
Brian Boner
Sr. Systems Administrator
TBG Financial
