How does WSUS determine a patch is missing?

I am trying to figure out how WSUS currently determines how a patch is
missing from a server. Does it check the individual files in each patch and
then report it as missing if the files are at a previous version?

I have seen in the past that software can install previous versions of dlls,
etc that "break" patches already applied. Windows Update from the web does
not recognize them as being needed again but the vulnerability still exists.

"D Riberdy" <> wrote in message
news:E21AC0D6-1CE3-4B9C-BCE5-...
>I am trying to figure out how WSUS currently determines how a patch is
> missing from a server.

The Windows Update Agent tells it that it's missing.

> Does it check the individual files in each patch and
> then report it as missing if the files are at a previous version?

The Windows Update Agent does a file level version check based on the
metadata stored in the update detection logic, which is obtained from the
WSUS Server during a detection event, provided that the update detection
metadata contains file level version data.


> I have seen in the past that software can install previous versions of
> dlls,
> etc that "break" patches already applied.

Only stupid software from stupid software developers on systems prior to
Windows 2000, where the stupid software developer failed to check the
version of the installed DLL prior to overwriting it with an older version
contained in the stupid software developer's installation package.

> Windows Update from the web does
> not recognize them as being needed again but the vulnerability still
> exists.

That really depends on what the update is; how old the update is; what
detection methodology is coded into the update package's detection logic;
what version of the operating system you're using; what version of the
Windows Update Agent you're using; and whether or not the affected DLL(s)
are actually part of any given update package.

Do you have a *specific* example you'd like to discuss?



--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/pr...2-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/window...s/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....

The actual incident in question was installing Microsoft Application Center
SP1 that undid the fix for the Blaster virus on all the servers we installed
it on. Even though Microsoft listed it as installed and said we were
protected an audit found us vulnerable. We had to switch to a 3rd party tool
becuase the customer felt that we and Microsoft were unable to properly
manage the patching and healthiness of the environment.

So, If a, as you put it "Only stupid software from stupid software
developers" were to overlay a newer patches dll with an older version, will
WSUS then show it as missing? Or is that entirely dependent on the people
packaging the patches to insert all the proper data for WSUS to do that type
of checking ala "The Windows Update Agent does a file level version check
based on the metadata stored in the update detection logic, which is obtained
from the
WSUS Server during a detection event, provided that the update detection
metadata contains file level version data."

DR

"Lawrence Garvin (MVP)" wrote:

> "D Riberdy" <> wrote in message
> news:E21AC0D6-1CE3-4B9C-BCE5-...
> >I am trying to figure out how WSUS currently determines how a patch is
> > missing from a server.
>
> The Windows Update Agent tells it that it's missing.
>
> > Does it check the individual files in each patch and
> > then report it as missing if the files are at a previous version?
>
> The Windows Update Agent does a file level version check based on the
> metadata stored in the update detection logic, which is obtained from the
> WSUS Server during a detection event, provided that the update detection
> metadata contains file level version data.
>
>
> > I have seen in the past that software can install previous versions of
> > dlls,
> > etc that "break" patches already applied.
>
> Only stupid software from stupid software developers on systems prior to
> Windows 2000, where the stupid software developer failed to check the
> version of the installed DLL prior to overwriting it with an older version
> contained in the stupid software developer's installation package.
>
> > Windows Update from the web does
> > not recognize them as being needed again but the vulnerability still
> > exists.
>
> That really depends on what the update is; how old the update is; what
> detection methodology is coded into the update package's detection logic;
> what version of the operating system you're using; what version of the
> Windows Update Agent you're using; and whether or not the affected DLL(s)
> are actually part of any given update package.
>
> Do you have a *specific* example you'd like to discuss?
>
>
>
> --
> Lawrence Garvin, M.S., MCTS, MCP
> Independent WSUS Evangelist
> MVP-Software Distribution (2005-2007)
> https://mvp.support.microsoft.com/pr...2-D095EB07B36E
>
> Everything you need for WSUS is at
> http://technet2.microsoft.com/window...s/default.mspx
>
> And, almost everything else is at
> http://wsusinfo.onsitechsolutions.com
> .....
>
>
>
>

"D Riberdy" <> wrote in message
news:BE35A31C-9AFD-441D-BDF8-...

> The actual incident in question was installing Microsoft Application
> Center
> SP1 that undid the fix for the Blaster virus on all the servers we
> installed
> it on.

Interesting.... but a rather ancient problem, wouldn't you agree? The
Blaster virus is almost four years old; Application Center 2000 SP1
(released: Oct 2001) actually pre-dates the Blaster virus by almost two
years; and Application Center 2000 SP2 was released four years ago to
support AppCenter2000 on Windows Server 2003.

As for the Blaster virus itself, it actually exploits an issue that was
fixed by MS03-026 (KB823980), which isn't even an active update anymore,
having been superceded by a Service Pack on every operating system except
Windows 2000.

So, lacking a *current* example, let's take this scenario in the context it
deserves.


> Even though Microsoft listed it as installed and said we were
> protected an audit found us vulnerable.

So, if I understand you correctly, you directly installed Application Center
2000 SP1 on top of a machine already containing MS03-026, and then were
surprised when a 2 year old service pack replaced some files with older
versions?

Okay... so lessons learned: [a] Always install updates in chronological
order of release. [b] Always run a security scan after applying any old
updates.

Also, keep in mind that the OS reporting an update as "Installed", merely
means that the installer successfully ran, and that the necessary registry
values were created. It indicates nothing about whether the component files
are physically present, corrupted, or overwritten with an older version by
some other installer.


> We had to switch to a 3rd party tool
> becuase the customer felt that we and Microsoft were unable to properly
> manage the patching and healthiness of the environment.

Hmmm... and, in reality, it was probably nothing more than a deployment
error in the installation of the AppCenter 2000 service pack. :-)

To that extent, the customer was probably partially correct in expressing
concern about your inability to properly manage the patching and healthiness
of the enviornment. :-\


> So, If a, as you put it "Only stupid software from stupid software
> developers" were to overlay a newer patches dll with an older version,
> will
> WSUS then show it as missing?

*TODAY*, with *WSUS* (or SMS, or WU/MU, or MBSA -- all of which use exactly
the same scanning technology) (neither of which existed when you were
installing AppCenter service packs on top of Blaster security vulnerability
patches), all patches are *DETECTED* based on the requisite file contents
and version numbers of those files.


> Or is that entirely dependent on the people
> packaging the patches to insert all the proper data for WSUS to do that
> type
> of checking

But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE (which
is generally the product group responsible for the specific product being
updated), to properly configure the metadata for the detection logic of that
update. Ergo, the Windows Update Agent can only do what the product team
tells it to do via the update detection logic.

>"The Windows Update Agent does a file level version check
> based on the metadata stored in the update detection logic, which is
> obtained
> from the
> WSUS Server during a detection event, provided that the update detection
> metadata contains file level version data."


Exactly.


--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/pr...2-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/window...s/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....

"Lawrence Garvin (MVP)" wrote:

> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE (which
> is generally the product group responsible for the specific product being
> updated), to properly configure the metadata for the detection logic of that
> update. Ergo, the Windows Update Agent can only do what the product team
> tells it to do via the update detection logic.

So, what you are saying is that I am at the mercy of a patch developer doing
their job correctly to ensure that the patches will scan correctly in WSUS?
Is this a standard routine for them to do or is there currently cases where
it doesn't have the correct information? Microsoft has been known to
re-re-release patches due to improperly packaged files before.

> So, if I understand you correctly, you directly installed Application Center
> 2000 SP1 on top of a machine already containing MS03-026, and then were
> surprised when a 2 year old service pack replaced some files with older
> versions?

Actually, you understood me incorrectly. The above patch MS03-026 was
installed when the base machine was created with Windows Update. We
installed Microsoft Application Center 2000 SP1 as a complete application -
not just the SP1 patch. When we rescanned the machines at the end of the
build process, there were no updates to be found - ergo the logic built into
either the MS03-026 patch itself OR Windows Update was flawed.

Therein lies their concern as well as ours that if we hang our hats on the
WSUS product, which by the looks of the forum posts here for version 3, has
less than spectaular commentary, that it will ensure that we are patched to
the fullest extent and rescan previously installed patches to make sure
nothing like the above happens. If it falls on the product team or WSUS
directly, it still is a "Microsoft" problem that things are not scanned
correctly.

=?Utf-8?B?RCBSaWJlcmR5?= <> wrote in
news:90CB7FB6-DE83-4035-A98C-:

> "Lawrence Garvin (MVP)" wrote:
>
>> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
>> (which is generally the product group responsible for the specific
>> product being updated), to properly configure the metadata for the
>> detection logic of that update. Ergo, the Windows Update Agent can
>> only do what the product team tells it to do via the update detection
>> logic.
>
> So, what you are saying is that I am at the mercy of a patch developer
> doing their job correctly to ensure that the patches will scan
> correctly in WSUS? Is this a standard routine for them to do or is
> there currently cases where it doesn't have the correct information?
> Microsoft has been known to re-re-release patches due to improperly
> packaged files before.
>
>> So, if I understand you correctly, you directly installed Application
>> Center 2000 SP1 on top of a machine already containing MS03-026, and
>> then were surprised when a 2 year old service pack replaced some
>> files with older versions?
>
> Actually, you understood me incorrectly. The above patch MS03-026 was
> installed when the base machine was created with Windows Update. We
> installed Microsoft Application Center 2000 SP1 as a complete
> application - not just the SP1 patch. When we rescanned the machines
> at the end of the build process, there were no updates to be found -
> ergo the logic built into either the MS03-026 patch itself OR Windows
> Update was flawed.
>

Well, Windows Update does what the patch tells it to do to detect, so
it's not flawed.

The update will look for either file versions, or more likely registry
entries. So installing MS03-026 created the requisite entries and folders
in the Windows folder. Then you load a 7 year old piece of software that
blindly clobbers a bunch of DLLs. The MS03-026 registry entries are still
there. What do you expect the detection to do? Scan version of every file
it replaces? For large patches and SPs, it would consume too much
resources on the clients.

If you want to escape responsibility and lay the blame on Microsoft, then
blame App Centre.

Personnaly at this point, I'd upgrade App Centre to the cuttent version.
Or at least, install it immediately after the OS, before patches.


> Therein lies their concern as well as ours that if we hang our hats on
> the WSUS product, which by the looks of the forum posts here for
> version 3, has less than spectaular commentary, that it will ensure
> that we are patched to the fullest extent and rescan previously
> installed patches to make sure nothing like the above happens. If it
> falls on the product team or WSUS directly, it still is a "Microsoft"
> problem that things are not scanned correctly.
>

*sigh* as Garvin noted this was an old problem. The point being we have used
other products and are now wanting to investigate WSUS as a possible solution
for patching.

Yes, I would expect that if I were to call for a scan of missing patches on
a server, it would check the file versions to ensure that they match with
what is is expected to be there. Other tools do the exact same thing and
don't seem to be consuming too many resources.

So far, I haven't really heard any good reason to vary from what we are
using to go to WSUS since we cannot expect that it would confidently tell us
what we want to know. I guess if you vary from the norm and don't kiss the
ring of Microsoft you get belittled on these forums.

"Asher_N" wrote:

> =?Utf-8?B?RCBSaWJlcmR5?= <> wrote in
> news:90CB7FB6-DE83-4035-A98C-:
>
> > "Lawrence Garvin (MVP)" wrote:
> >
> >> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
> >> (which is generally the product group responsible for the specific
> >> product being updated), to properly configure the metadata for the
> >> detection logic of that update. Ergo, the Windows Update Agent can
> >> only do what the product team tells it to do via the update detection
> >> logic.
> >
> > So, what you are saying is that I am at the mercy of a patch developer
> > doing their job correctly to ensure that the patches will scan
> > correctly in WSUS? Is this a standard routine for them to do or is
> > there currently cases where it doesn't have the correct information?
> > Microsoft has been known to re-re-release patches due to improperly
> > packaged files before.
> >
> >> So, if I understand you correctly, you directly installed Application
> >> Center 2000 SP1 on top of a machine already containing MS03-026, and
> >> then were surprised when a 2 year old service pack replaced some
> >> files with older versions?
> >
> > Actually, you understood me incorrectly. The above patch MS03-026 was
> > installed when the base machine was created with Windows Update. We
> > installed Microsoft Application Center 2000 SP1 as a complete
> > application - not just the SP1 patch. When we rescanned the machines
> > at the end of the build process, there were no updates to be found -
> > ergo the logic built into either the MS03-026 patch itself OR Windows
> > Update was flawed.
> >
>
> Well, Windows Update does what the patch tells it to do to detect, so
> it's not flawed.
>
> The update will look for either file versions, or more likely registry
> entries. So installing MS03-026 created the requisite entries and folders
> in the Windows folder. Then you load a 7 year old piece of software that
> blindly clobbers a bunch of DLLs. The MS03-026 registry entries are still
> there. What do you expect the detection to do? Scan version of every file
> it replaces? For large patches and SPs, it would consume too much
> resources on the clients.
>
> If you want to escape responsibility and lay the blame on Microsoft, then
> blame App Centre.
>
> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
> Or at least, install it immediately after the OS, before patches.
>
>
> > Therein lies their concern as well as ours that if we hang our hats on
> > the WSUS product, which by the looks of the forum posts here for
> > version 3, has less than spectaular commentary, that it will ensure
> > that we are patched to the fullest extent and rescan previously
> > installed patches to make sure nothing like the above happens. If it
> > falls on the product team or WSUS directly, it still is a "Microsoft"
> > problem that things are not scanned correctly.
> >
>
>

Asher_N wrote:

> Well, Windows Update does what the patch tells it to do to detect, so
> it's not flawed.

The detection logic is part of the Windows Update product, speaking in the
broader sense.

> What do you expect the detection to do? Scan version of every file
> it replaces? For large patches and SPs, it would consume too much
> resources on the clients.

MBSA 1.2.1 seemed to manage to do this without being very resource-hungry.
(Granted service packs are a special case.)

Probably qfecheck is the right tool to check for this class of problem.
However, it does seem that this functionality should be built into WUA, or
perhaps the OS.

... actually the other thing that puzzles me is why Windows File Protection
didn't kick in.

> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
> Or at least, install it immediately after the OS, before patches.

Are you suggesting that whenever we need to run a new application we should buy
a new server? I don't think that's a feasible solution in general. :-)

Harry.

"D Riberdy" <> wrote in message
news:90CB7FB6-DE83-4035-A98C-...
> "Lawrence Garvin (MVP)" wrote:
>
>> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
>> (which
>> is generally the product group responsible for the specific product being
>> updated), to properly configure the metadata for the detection logic of
>> that
>> update. Ergo, the Windows Update Agent can only do what the product team
>> tells it to do via the update detection logic.
>
> So, what you are saying is that I am at the mercy of a patch developer
> doing
> their job correctly to ensure that the patches will scan correctly in
> WSUS?

You'd be at their mercy even if you used Microsoft Update!

You'd also be at their mercy if you solely relied on the verbage in the MSRC
or KB document.

At some point ya either gotta trust your OS vendor to some point, or ya
gotta find a new OS vendor.

I'm afraid I can't help you much with your paranoia. ;-)


>> So, if I understand you correctly, you directly installed Application
>> Center
>> 2000 SP1 on top of a machine already containing MS03-026, and then were
>> surprised when a 2 year old service pack replaced some files with older
>> versions?
>
> Actually, you understood me incorrectly. The above patch MS03-026 was
> installed when the base machine was created with Windows Update. We
> installed Microsoft Application Center 2000 SP1 as a complete
> application -
> not just the SP1 patch.

Okay.. so either way.. what you're telling me is that you installed a
product whose release date preceeded the release date of security updates on
the system, and you never considered the need to evaluate whether those
security updates needed to be reinstalled?

> When we rescanned the machines at the end of the
> build process, there were no updates to be found - ergo the logic built
> into
> either the MS03-026 patch itself OR Windows Update was flawed.

Or, you misunderstood the significance of whatever tool you used to do the
"rescan".

But, again, that was in 2003, four years ago. It's really a pointless
discussion now.


> Therein lies their concern as well as ours that if we hang our hats on the
> WSUS product, which by the looks of the forum posts here for version 3,
> has
> less than spectaular commentary,

Eh?


> that it will ensure that we are patched to
> the fullest extent and rescan previously installed patches to make sure
> nothing like the above happens. If it falls on the product team or WSUS
> directly, it still is a "Microsoft" problem that things are not scanned
> correctly.


Like I said above.. it matters not what the PRODUCT used to scan or install
the patch is -- ultimately, in *ANY* circumstance -- you're entirely
dependent upon the Microsoft Sustained Engineeering team(s) for the various
products to forsee every possible installation environment, and be able to
detect every possible installation scenario -- including somebody who'd want
to install a two year old product onto current hotfix security patches.

Bottom line is: That's why every "best practice" document in the world says
TEST TEST TEST TEST TEST.

Prove to YOURSELF that the patch installs correctly, doesn't break anything
on your systems, and does what you need it to do, and then, when you've done
that, deploy it to production systems.


I really don't think there's much else I can say.

--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/pr...2-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/window...s/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....

"Harry Johnston" <> wrote in message
news:u$...

> Asher_N wrote:
>
>> Well, Windows Update does what the patch tells it to do to detect, so
>> it's not flawed.
>
> The detection logic is part of the Windows Update product, speaking in the
> broader sense.

Actually, this is a misconception.

The =engine= is contained within the Windows Update Agent code.

However, the =data= that tells that engine what to do is contained within
the update package itself, and is unique to each update package.

It's generally this data that is the reason updates have "revisions", and
MSRC documents are revised. Case in point -- just today Microsoft revised
MS07-022 for issues affecting people running Windows 2000 Service Pack 4 on
NEC 98 systems.


>> What do you expect the detection to do? Scan version of every file it
>> replaces? For large patches and SPs, it would consume too much resources
>> on the clients.
>
> MBSA 1.2.1 seemed to manage to do this without being very resource-hungry.
> (Granted service packs are a special case.)

Thus my comments, elsewhere, indicting the "scanning tools" used to
determine whether the post-install AppCenter2000SP1 system was secure. MBSA
v1.2.1 didn't exist in 2003 when this incident happened. I know that it was
2003, because if it had been 2004 they surely would have installed
AppCenter2000SP2 -- although that wouldn't have been any guarantee either,
since AppCenter2000SP2 (Jun 2003) also predated MS03-026 (Jul 2003).

Hehe... so AppCenterSP2 was released *before* MS03-026, and they chose to
install a slipstreamed *downlevel* version of the application. Go figger...
but it was suicidal, at best (and, of course, we also have the benefit of
hindsight to support that appelation).

Which then makes me want to ask when this really did occur, but either way,
I think it would just complicate the decisions behind the deployment
choices -- either way, the *current* version of the application was not
installed.


> Probably qfecheck is the right tool to check for this class of problem.
> However, it does seem that this functionality should be built into WUA, or
> perhaps the OS.
>
> ... actually the other thing that puzzles me is why Windows File
> Protection didn't kick in.

Windows File Protection on a Windows 2000 Service Pack 3 system? Service
Pack 4 was only released in June, 2003, and I suspect not yet installed on
the subject system, given that they also were not installing AppCenterSP2
(Jun 2003).


>> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
>> Or at least, install it immediately after the OS, before patches.
>
> Are you suggesting that whenever we need to run a new application we
> should buy a new server? I don't think that's a feasible solution in
> general. :-)

No, I don't think that's what Asher is suggesting, but then I also think
that he's misunderstood that this incident is a legacy incident, that
occurred four years ago, not in the recent past.

It's also irrelevant, because AppCenter2000 isn't a supported product at
all, any more. Mainstream Support expired in July, 2006. Only Security
Updates for AppCenter2000SP2 are available, now.

However, in either situation, the *correct* installation methodology would
have surely alleviated some of the issues experienced. The *application*
being installed was at a SP level dated from October, 2001, on top of a
patch released in July, 2003 (and possibly, even, an unsupported SP level if
this all happened after June 2004).

That means, de facto, the *application* had no knowledge of any updates
applicable to that system beyond that date -- even the most current SP for
that application could not have known.

The logical conclusion (at least to me) would be that *anything* released
after that date was subject to having been corrupted. At a minimum I would
have (RE)INSTALLED Service Pack 4 (Jun 2003), and all security patches
released after Service Pack 4 (which would have included MS03-026) -- but
then I would have also installed the product's most recent service pack as
well.

The second problem was trusting the patch tools available at that point
(Windows Update) to properly identify the deficiencies in the patch level of
the system. In 2003, all that WU did was check a registry value to determine
if a patch had been "installed" or "not installed". The only certain way to
know was to personally verify the file versions and/or simply reapply the
update(s) potentially affected -- and certainly any Critical Security
Updates -- like a Blaster patch!

--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/pr...2-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/window...s/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....