After Friday's Rounds of Patches from Microsoft I see 5 instances "CVE-2012-1889" under Programs and Features

gerhardub
gerhardub used Ask the Experts™
on
Folks,

After Friday's Rounds of Patches from Microsoft I see 5 instances "CVE-2012-1889" under Programs and Features.

For example:

CVE Under Installed Programs
Where the hell did this come from and is it a Microsoft update?  ...or have I been hacked?

(We do use a third party update tool as well as WSUS, but this is just plan old odd.)

GB
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:

Author

Commented:
Yeah, but the issue is that I now see 5 instanes of something called "CVE-2012-1889" installed on the systems.

As ther the graphic, it doesn't list a publisher, size, or version...

HAS ANYONE SEEN THAT SPECIFC THOSE SPECIFIC PATCHES INSTALLED AS PER THE GRAPHIC?
btanExec Consultant
Distinguished Expert 2018

Commented:
You are not alone. Not sure if Microsoft Baseline Security Analyzer can show more info instead

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/e9e2b36e-d7ac-41c2-a829-4d7ecd15dcbc


How does MBSA identify a single bulletin that includes multiple products?
Updates for multiple products within the same bulletin will be shown as different product families in the Issue column of the report summary. Each product-specific variation within the bulletin typically includes a different Knowledge Base article number; however, in some cases there could be multiple updates within the same product category.

For example, if a security bulletin applies to both Windows Media Player and SQL Server, the report summary lists two separate issues, with two separate Result Details to be viewed. In this example, each item would have the same bulletin ID, the standard naming convention for update titles would include the Knowledge Base article number, and the Description column would link to the support article Web page for the issue.

Another example is when more than one product exists within the same family, such as Windows Messenger and Windows Media Player (both are components of Windows). This example would provide separate updates in the same Result Details section of the report but share the same bulletin ID. If the product-specific Knowledge Base article ID is needed, the report can be viewed in any XML viewing program (such as Notepad or Internet Explorer), and the KBID attribute will contain the article number.

Finally, shortly after Microsoft Update is released, additional IDs will be included with published updates in the MBSA report that will directly relate to individual vulnerabilities addressed by the bulletin (typically in a "CAN-..." or "CVE-..." format as listed in the actual security bulletin). A new version of MBSA will not be needed, only the new data to be published with the updates being released.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Please reference this link for specifics on that CVE -

http://technet.microsoft.com/en-us/security/bulletin/ms12-043

You can see multiples of the same Microsoft patch depending on the number of components installed on your system. So, if you have 5 affected components, you will see the patch 5 different times. Patch release and CVE references will be the same, The only difference will be the KB article associated with the product being patched.

Author

Commented:
Followup:

Has anyone else seen the EXACT information in add/remove programs (as seen in the graphic above) on any of their systems.
It is going to vary from system to system as to what will be listed, and also may depend on where you are pulling your patches from. Microsoft patches pulled directly from Microsoft will always show up as a standard Microsoft convention and should not show up as a CVE value. I have not seen this particular patch show up as a CVE value on the nearly 500 servers that I have patched in our environment so far this month, nor have I seen it show up as this on my personal machines. (granted, I am not logging into EVERY single machine I am patching, only a few, the rest is verified with our patching tool) All of the machines I have looked at show it as a "Security Update for Microsoft Windows (insert KB article here)"  Specifically, the bulletin being referenced by the CVE values noted in your screen shot is MS12-043, with several different iterations of KB articles and corresponding patches related to the bulletin. I don't believe this is anything to worry about, as I am seeing some other references on security threads where folks are seeing this patch come up as that on some systems.

Here is a link from SANS that gives additional information that might be useful - https://isc.sans.edu/diary.html?storyid=13459#comment
If you would like, I can look further as we have a number of different versions of Windows in our environment... I would need to know which version the OS is that you are seeing the above screen shot on. Also, out of curiosity, which third party product do you use for patching?

Author

Commented:
VMware Protect, Windows 2000 / 7....
Windows 2000 is not supported anymore so that may be part of the issue... We use the same product at work, but not to patch any Windows 7 machines. I have a round of patching later today with some Windows 2008 machines (similar to Windows 7) and I will take a quick look at a few of those tonight to confirm what I see...
To expand on what I said above, Windows 2000 has been out of support by Microsoft since June 2010. This patch would not be available in Shavlik/Vmware for that operating system.

Author

Commented:
Whoops, meant Windows 2008....
Ahh... ok! I know my windows 7 box shows the patch the way it should show it. I will reference a few 2008 machines tonight to confirm how it shows there...

Author

Commented:
Thanks a ton.

I suspect that VMware wrote their own patch for this issue... but I'm not sure.  I've got a call into them.
VMWare typically doesn't write patches for vendor products. They only create the XML that is used as part of the scan engine for seeing if the patch is applied or not. This would be unique to the patch itself. Might not be bad to compare the size of the patch in the VMWare repository with the patch downloaded directly from Microsoft... May be a quick way to confirm if the issue is with the patch or not... default location is <install directory>\NetChk\patches.
I did check a number of the 2008 machines that patched tonight for me and things look good from my standpoint. I did check several versions of 2008 also (standard/ent/r2/etc), so I don't think it's a NetChk issue.

Author

Commented:
So far, no difinitive answer...

Not sure if that's a crappy quick patch from MS, or a deployment stop-gap from VMware (Shavlik), OR a bad actor.

I do know that neither ForeFront or Trend or McAfee or Kaspersky find anything on a system with those improperly marked CVE-2012-1889 installs under Programs and Features.
Maybe try to uninstall and reinstall to see if that corrects the issue?

Did you ever check the size of the files for this patch in the netchk repository versus the size of the files currently available for download from Microsoft's website? It is possible that maybe Shavlik initially had a pre-release or earlier revision of the patch and just didn't update to pull the final one?
Please note when I say Shavlik I mean VMWare NetChk... still used to calling it by it's old name!

Author

Commented:
So far, no one has sufficently answered the question.

VMware/Shavlik indicate that they did not install those patches to the systems.  

Microsoft patches for this month have not shown those as installed on any test system.

No virus scanner finds anything wrong...

...and I still don't have an answer on how to determine where to check these out to see how they go into "Programs and Features."

GB
You still haven't tried to uninstall and re-install the patches, have you? You also haven't indicated if you compared the installation files located in your Shavlik repository versus the sizes for the corresponding files from Microsoft's website. I would start with those two places first. You might also want to look at the update log files (I haven't had to reference these with doing Shavlik installs, but is worth looking at for further information) -  http://support.microsoft.com/kb/902093.

You may not be able to determine specifically how they were applied to the system, but if you uninstall them, and Shavlik shows patches for MS12-043, then you know it was an issue with the way the patches applied to the server.
Top Expert 2016

Commented:
@RevelationCS: same as my original post

I have the same on many systems -- system 1
It is NORMAL it is a microsoft update!

Author

Commented:
Incidently, it's not normal.  I've got 1000+ systems and not one of them has any MS patches without a publisher, size, and version listed for them.

Commented:
Anyone knows where these CVEs program come from?
My system has three of them, they appear to be related to MS12-043.  However, why don't they show Microsoft has the publisher, the size and version number? Please help!

Author

Commented:
Never did really figure it out... and I don't really think RevelationCS answer was really correct.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial