Vulnerability issues with installation of security update kb969615

Discussion in 'Windows Update' started by komapuk, May 18, 2009.

  1. komapuk

    komapuk Guest

    Okay, here is the issue. This is similar to other issues listed in this site
    but you need to have new post each time someone has the same issue. I have
    windows xp systems (some with service pack 2 and the rest with sp 3), with
    MS Office 2003 (ms office is up to date with patching). We have the full
    installation of powerpoint on all of the systems. When I do vulnerability
    scans
    using Patchlink as my security scanner it shows the powerpoint
    viewer 2003 as a security risk. Now my systems do not have powerpoint
    viewer 2003 installed. However, patchlink also provides the location of the
    the file it shows to be vulnerable. This is "File version for file
    C:\Program Files\Microsoft Office\Office11\pptview.exe (11.0.8164.0) is less
    than 11.0.8305.0
    (date=2007/04/19)".
    Now when I got to this location I find the file in question. When I double
    click on the file it launches powerpoint viewer 2003. (Which is not
    installed and not available for removal from the add/remove programs
    location) So the vulnerability scanner is correct microsoft powerpoint
    viewer is on the system and so is vulnerable. My question is if the files
    which allow the viewer to be run on a system (whether it is installed or
    not), why does the microsoft update not allow the system to be patched.
     
    komapuk, May 18, 2009
    #1
    1. Advertisements

  2. 1. Install PPV 2003 on these machines, reboot, then uninstall it (properly)
    and reboot once more; or...

    2. See the "How to obtain help..." section of
    http://support.microsoft.com/kb/969615
     
    PA Bear [MS MVP], May 18, 2009
    #2
    1. Advertisements

  3. komapuk

    MowGreen Guest

    1) How did you come to the above conclusion ?

    2) Please explain how you came to conclude that

    IF the systems are not opted in to Microsoft Update, then no Office
    updates will be offered. As opposed to Windows Update which ONLY updates
    the Operating System and it's components.
    Are you trying to say that the update can not be installed via Microsoft
    Update ?


    Have the systems been scanned on the Office Update page ?
    http://office.microsoft.com/en-us/downloads/maincatalog.aspx

    The PowerPoint viewer is a component of PowerPoint, so it can not be
    removed unless you uninstall PowerPoint. It can not be uninstalled by
    itself from Add/Remove Programs.

    http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx

    MS09-017: Description of the security update for PowerPoint 2003: May
    12, 2009
    http://support.microsoft.com/kb/957784


    MowGreen
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen, May 18, 2009
    #3
  4. BroMow brings up a good point: Does http://windowsupdate.microsoft.com take
    the machine to Windows Update website or Microsoft Update website? (I had
    been assuming the latter.)
     
    PA Bear [MS MVP], May 18, 2009
    #4
  5. komapuk

    komapuk Guest

    MowGreen,
    We use a WSUS server to do all updates on our systems. All of the MS
    office patches are approved and have been installed across the network. The
    system in question is going to be used as a baseline for future images. When
    we found that it had this vulnerability, we went to Microsoft updates (which
    is what I said originially) and checked. Microsoft said no additional updates
    were needed. We then scanned the system again and we still have the same
    vulnerability show up. So we then downloaded the actual update (KB969615
    which updates the powerpoint viewer 2003). When the update ran it informed us
    "There are no products affected by this package installed on the system.".
    The system in question also has the latest update for powerpoint on it
    (KB957784) MS09-17. Once again if powerpoint viewer 2003 is part of the full
    powerpoint installation, why does the Microsoft updater not recognize that
    the program is on the system and update it.
    Also I ran the scan across other systems on our network and they show the
    same vulnerability, and when I investigate the file is there and it does
    launch the powerpoint viewer. Since the version is the older version, that
    means it is vulnerable to the exploit available against it.

    Robear,
    Installing ppv, rebooting and then properly uninstalling the ppv and
    then rebooting again, is not really a great solution across an enterprise
    with over 1000 systems. Especially when the viewer seems to be part of the
    normal installation of powerpoint. Though I appreciate the feedback.
    Vic
     
    komapuk, May 19, 2009
    #5
  6. komapuk

    MowGreen Guest

    Thanks for providing more details, Vic. Knowing that the system is
    updating via WSUS as opposed to MU explains things ... somewhat.
    Let's see if I have the patch sequence correct here ...
    KB957784 is installed first, then the attempt to install KB969615
    results in the "no products affected by this package are installed on
    this system", is that correct ?

    All Office 2K3's are at SP3, correct ?

    KB969615 updates Pptview.exe to V. 11.0.8305.0
    KB955784 updates Pptview.exe to V. 11.0.8307.0

    Going by the File version levels it appears the proper patch sequence is
    to apply KB969615 first, then apply KB955784.
    Apparently, since KB955784 was applied first, when you attempt to
    install KB969615 it's detecting the higher file version and you
    subsequently receive the " no products affected " message.
    MU is detecting the higher file version, too.

    BUT, you state that Pptview.exe is at a lower file version than either
    of the updates would leave it, correct ?

    Please post the Versions of Pptview.exe and Pp7x32.dll from at least one
    of the systems where KB955784 is installed, Vic.

    Did you experience difficulties installing KB956500, which is similar to
    KB969615 as it updates the same files as KB956500 does ?


    MowGreen
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen, May 19, 2009
    #6
  7. [[Forwarded to WSUS newsgroup via crosspost]]
     
    PA Bear [MS MVP], May 19, 2009
    #7
  8. Vic,

    To clarify, neither Microsoft Update nor the WSUS server are saying theat
    KB969615 is needed? Just a third-party product?

    The fact that the vulnerable file is present does not necessarily mean that
    there is a vulnerability, although I agree that it is an oddity that should be
    investigated.

    I'll see if I can reproduce the problem and scare some information out of Microsoft.

    Harry.
     
    Harry Johnston [MVP], May 20, 2009
    #8
  9. komapuk

    komapuk Guest

    Okay,
    Latest update.
    Patchlink (formerly Harrisstat) now lists on the website that the
    vulnerability for the powerpoint viewer is a false positive. So they say
    there is no vulnerability.

    Tested it on my system which had not gotten the kb955784 patch.
    It still would not allow me to do KB969615.
    Last night I had my system update to KB955784.
    The current version of the pptview.exe is 11.0.8164 (this is in the
    office11 folder under the program files -> MS office)
    The current version of pp7x32.dll is 11.0.8305
    Had no other problems with updates. Just the strange situation here.

    Now what vulnerable to exploit in powerpoint viewer? Is it the executable or
    is it a dll?
     
    komapuk, May 20, 2009
    #9
  10. komapuk

    MowGreen Guest

    I think I know where the confusion lies here ... KB969615 is *not*
    intended for anything but PowerPoint Viewer 2003.
    KB955784 is intended for PowerPoint 2003.

    KB955784 updates Powerpnt.exe, *not* Pptview.exe, to V. 11.0.8307.0
    and Pp7x32.dll to V. 11.0.8305.0.

    @Vic ... suggest you check the Version level of Powerpnt.exe as
    Pp7x32.dll is now at the correct Version level when KB955784 is installed.

    The Vulnerability Information is shown here:
    http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

    The chart under Severity Ratings and Vulnerability Identifiers shows
    which vulnerabilities are present in PowerPoint 2003 SP3, *none* of
    which are rated as Critical.


    MowGreen
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen, May 20, 2009
    #10
  11. Yeah, but it's suspicious that the file pptview.exe exists in both products but
    is only updated in one of them. There may well be a reason why it isn't
    necessary to update it in PowerPoint 2003, but I'd like MS to confirm that this
    is the case. It's fairly unusual.

    Harry.
     
    Harry Johnston [MVP], May 20, 2009
    #11
  12. komapuk

    MowGreen Guest

    I tried reading the Vulnerability Identifiers and just became more
    confused -

    PP7 Memory Corruption Vulnerability - CVE-2009-0225
    PP7 Memory Corruption Vulnerability - CVE-2009-1128
    PP7 Memory Corruption Vulnerability - CVE-2009-1129

    Maybe you can decipher if updating Pp7x32.dll is what mitigates the vuln
    in Pptview.exe when it's a component of PP2003 SP3. I can't.

    MowGreen
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen, May 21, 2009
    #12
  13. FYI,

    A contact within Microsoft informs me that this is a known issue and the Office
    team is currently working on an update to correct it. In the meantime, it was
    recommended that the pptview.exe file be renamed to pptview.old to make
    vulnerability scanners happy.

    Harry.
     
    Harry Johnston [MVP], Jun 5, 2009
    #13
  14. [OP is relying on the outdated application Patchlink to tell him what
    updates his computer(s) need, not AU/WU/MU, Harry.]
     
    PA Bear [MS MVP], Jun 5, 2009
    #14
  15. Yes, but MS have confirmed that the file in question should indeed have been
    updated, so basically Patchlink got it right.

    No word on whether the failure to update the file actually represents an
    exploitable vulnerability or not, although my best guess is that it doesn't.

    Harry.
     
    Harry Johnston [MVP], Jun 5, 2009
    #15
  16. Following up on this, I'm told that in theory this may represent a
    vulnerability, but that it would be very difficult to exploit. The workaround
    of renaming the file to .old should prevent exploitation.

    Harry.
     
    Harry Johnston [MVP], Jun 7, 2009
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.