Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11497
HistoryFeb 18, 2006 - 12:00 a.m.

Bugs/Security issues with PatchLink's Update Server

2006-02-1800:00:00
vulners.com
9

Security Focus,

I have been reporting issues to PatchLink Support for two years now with little & no resolution on most of
the things I find. Because they are such a large patch management platform I think it is important that they
be responsible for their coding practices. But even trying to work with the company directly, they are not
fixing the issues that have plagued their system for a long time now, including fundamental flaws in
vulnerability detection.
For each entry, I am including my internal tracking number then their ticket number if one was generated and
then a short text about the issue. As an example:
PatchLink Issue #10 - #8712 - Adding Domain users causes the Status screen to display unexpected text.
The 10> is my tracking number & #8712 is a ticket with PatchLink Support.
So if you ever needed the e-mail trail, I'd be happy to forward it to you. All I would need is my tracking
number. I've recorded all calls & e-mails in my tickets.

I am going to add all relevant tickets/issues I have with Update Server. Use what you deem appropriate.
Since this is my first time writing to a company/forum like this, could you please let me know what happens
next to the information I provide in this e-mail? As an example, where would I go to see what your company
has published?

My company uses:
PLUS (PatchLink Update Server) version: 6.2.0.189
Update Agent version: 6.2.0.181
The PLUS server is joined to a domain.

10> Opened 2004/08/04 - Closed xxxx/xx/xx - #8712 - Adding Domain users causes the Status screen to
10> display unexpected text.
Note: This issue is about the gibberish that returns when granting domain users access to the application.
When adding more than one person, the wizard does grant individuals to the incorrect roles/groups to
individuals. This wizard does not work properly. It can grant some users more access than the admin
intended.

30> Opened 2005/01/13 - Closed xxxx/xx/xx - #8716 - How machines appear in the patched status for
30> the most current service packs as well as previous service packs.
Note: This issue is the fact that the Update Server application does incorrect counting. As an example, and
this happens for sure with Windows & the Novell Client, If you had 10 Windows 2000 Professional machines with
Service Pack 4, 8 Windows 2000 Professional machines with Service Pack 3, 6 Windows 2000 Professional
machines with Service Pack 2 & 4 Windows 2000 Professional machines with Service Pack 1… you would receive
the following report:
Windows 2000 Professional machines with Service Pack 1 = 28 (4 + 6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 2 = 24 (6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 3 = 18 (8 + 10)
Windows 2000 Professional machines with Service Pack 4 = 10 (10)

35> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Security issue, granting one drop down menu
35> will give all drop down menu with the inventories.
Note: The Inventory section of Update server consists of 4 sub-sections, Operating Systems, Software,
Hardware & Services. Operating Systems is the default page. In the administration portion of Update Server
I can individually grant & revoke access to these pages to a role. Yet the application does not work the way
it should. If Operating Systems is revoked but any of the other options are allowed, the end-user will not
gain access to the Inventories section because Operating Systems is always the default. Additionally, if
Operating Systems is allowed and one of the other options, then access to all 4 will be allowed.

36> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Missing the option to grant Mandatory pages to
36> roles.
Note: Within the admin/option portion of the application, the Mandatory page cannot be granted or revoked
from a user. All other pages for a group are controllable.

40> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: List applications that ARE
40> installed on a server.
Note: This patch management product cannot display what products ARE installed. In a comparison with
Shavlik's HFNetChk, this product can tell you which version of MDAC is installed as well as any other product
HFNetChk can patch on the other hand Update Server cannot.

43> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: In the deploy wizard, use
43> hierarchical grey check boxes.
Note: I thought this one might be useful to add to this list. If it isn't, disregard it. Many mistakes
have & can be made because there are long lists of patches and each company must be checked in certain
situations. I offered this suggestion as a product enhancement.

44> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB832414 (as 823490). This is
44> for MSXML 2.6.
Note: Update Server does not support the latest service pack for MSXML 2.6. This leads companies to a false
sense of security.

45> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB887606. This is for MSXML 2.6,
45> MSXML 3.0 Service Pack 3 & MSXML 4.0.
Note: This request is to add a hotfix patch.

46> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: Have a logout feature.
Note: This product does not have a log out feature. As an example, If two sessions of Internet Explorer are
open, one to the PLUS server & another to www.msn.com. Then if the user closes the window to the PLUS server
& leave the workstation un-locked. A second user can walk up Press CTRL-N on the www.msn.com window and gain
access to the PLUS server if they type the URL in the browser's address bar.

47> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Why doesn't Adobe Acrobat and patches
47> uninstall when I choose that option in the baseline?
Note: The PLUS server cannot uninstall Adobe Acrobat even though it is an option on the patch.

49> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Tim & I believe that MS04-030 has a
49> PatchLink pop-up that can be removed for Win2k and possibly WinXP.
Note: This patch does not act silently when the option to do so is set. I have been un able to test this
patch for a long time now.

51> Opened 2005/10/26 - Closed xxxx/xx/xx - #001-00-006110 - 'Novell 2971589 Novell Client 4.91
51> Update 'A'' is automatically restarting workstations and the re are no event logs of the install.
Note: The deployment of this patch automatically restarts clients when the option to not do so is set.
Additionally it seems that the Novell Patch does not add any events to the Application Event Log.

52> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006346 - SQL Server Desktop Engine (MSDE) 2000
52> SP4 not detected for all SQL installations (total missing = 7).
Note: Update Server has absolutely no way of detecting non-default installations of MSDE & SQL Server. This
leads to a false sense of security especially if this is your only patch management solution. Additionally
PatchLink do not publish this limitation to the public.

53> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006347 - HFNetChkPro detects that MDAC 2.8 SP1
53> is needed for JMCGUIRE. Update Server says it is installed.
Note: Update Server cannot correctly detect the need to install this patch. I had a machine that had MDAC
2.8 SP1 but somehow one or two files that were replaced by older versions. HFNetChk detected this situation
but Update Server said the machine was patched.

55> Opened 2005/11/03 - Closed xxxx/xx/xx - #001-00-007183 - Feature Enhancement: Add 'Idle' &
55> 'Working' to "Computers" "Status" drop-down.
Note: I consider this a bug. In the Computers section, 5 options are allowed in the "Status" drop down (β€”
All *-, Enabled, Sleeping, Offline, Disabled). Yet in the Status column which this associates with there are
5 possibilities (Idle, Offline, Working, Sleeping & Disabled).

57> Opened 2005/11/08 - Closed xxxx/xx/xx - #001-00-006499 - Outlook 2003 Junk E-mail Filter Update
57> KB906173 (October 2005) is being offered to machines that have Outlook 2003 installed. While,
57> Windows/Microsoft Update offers this patch to any machine with Office 2003 installations that do not have
57> Outlook 2003 installed.
Note: I don't know why PatchLink as a company wouldn't add this patch or mimic the way Microsoft detects it
with Windows update or Microsoft Update. they have refused to add this. I am quite positive that it is due
to the fundamental flaws with the detection engine Update Server uses. I also assume that If Office 2003 is
installed on a machine without Outlook, Windows/Microsoft Update will still install the patch in anticipation
of Outlook being added (or something like that).

58> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007041 - Product Enhancement: Add sorting by red
58> R & green C column.
Note: I consider this a bug. All other columns are sortable, why not this one. I use it all the time to
try to differentiate between machines that need a restart & those that don't.

60> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007186 - Request Microsoft XML Parser (MSXML)
60> 2.6 SP3 to be added to the database.
Note: PatchLink seems to no longer be supporting a product they already support. They do not offer the
latest service pack for this application. They do offer prior service packs. This can lead companies into a
false sense of security.

61> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007042 - BUG: When hovering over a machine's
61> icon while in a Mandatory Baseline for a User created group when a assigned patch has been expanded, the
61> date & time of the last connection are not available.
Note: This is a self-explanatory bug.

62> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007073 - Typo: Extra space in MS05-031 text string
Note: The text for all patches but this one are exactly the same if you viewed from a web page OR from the
Export of a mandatory baseline. I use the Exports to show configuration changes. But when I use an exported
spreadsheet & I copy a cell with a patch name and the paste it into the find window box of Internet Explorer
when I am in the section to add or remove patches from a baseline… the pasted text does not match the name
in the list. This is not an Internet Explorer issue because the extra space is in the middle of the text.
PatchLink Support is refusing to add a (Rev 2) to this patch like they have done with other patches.

63> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007074 - Issue with MPSB05-07 Flash Player 7
63> patch & Update Servers' deployment
Note: This is a really big issue I have with PatchLink as a company. When this patch came out
(http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html) PatchLink as a company decided to
not offer the patch that fixed this situation. Macromedia offers this patch as well
(http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33). Instead PatchLink packaged
Macromedia's Flash Player 8 as the patch that fixed Flash Player 7. They did note this in their Description.
But if you install their patch, vulnerable files still exist on the client that was "patched". It is
impossible to patch the vulnerable Flash Player 7 files using Update Server. I have issues because they made
a decision to patch a product with a new version of the application. I have issues with PatchLink because
this issue was raised to them and they have done nothing about this. I have issues with their naming scheme
because the patch name suggests that it will patch Flash Player 7 when it doesn't do this at all. Note: In
prior upgrades of Flash Play the old version was removed. When Flash Player 8 came out, this no longer
happened.

64> Opened 2005/12/16 - Closed xxxx/xx/xx - #001-00-007528 - Trying to figure out why SQL Server
64> patches are reported as missing
Note: From PatchLink: This is a known issue. A missing registry key produces a false negative.

Well there you have it. I hope that these qualify as bugs & security vulnerabilities that can benefit
bugtraq. So as I asked before, could you let me know what is going to happen to this information now that
you have it? Could you give me a URL that shows me where this information went to?

Regards,
Brian Boner
Sr. Systems Administrator
TBG Financial