How to distribute software updates that are not detected by the Microsoft Baseline Security Analyzer in Systems Management Server 2003

View products that this article applies to.

INTRODUCTION

The Microsoft Baseline Security Analyzer (MBSA) may not detect all the security updates that Microsoft releases. You cannot use the patch management feature of Microsoft Systems Management Server (SMS) 2003 to deploy these updates to SMS 2003 clients. SMS 2003 uses scan results from the MBSA to inventory and to deploy software updates. SMS can inventory only those updates that MBSA detects.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

306460 (http://support.microsoft.com/kb/306460/ ) Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates

For more information about how to use SMS software distribution to deploy software updates, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc917507.aspx (http://technet.microsoft.com/en-us/library/cc917507.aspx)

Back to the top

MORE INFORMATION

How to distribute security updates that MBSA does not detect

For illustration, these steps use the Microsoft security update MS04-013. You can modify these steps to distribute other updates that MBSA does not detect.

To distribute updates that MBSA does not detect, follow these steps:

Schedule software inventory, and then specify the .dll files that you want SMS to discover:
1. Start the SMS Administrator Console.
2. Click the Site Hierarchy\Your Site\Site Settings\Client Agents node.
  
  Your Site is the site code and the name of your SMS site.
3. Right-click Software Inventory Client Agent, and then click Properties.
4. Click the Inventory Collection tab, and then click the yellow star button to add a new file.
5. In the Name box, type:
  Inetcomm.dll
6. On the General tab, click Full Schedule, and then click Schedule.
7. Accept or change the default schedule, and then click OK.
8. Use the Transfer Site Settings Wizard to replicate the software inventory settings to other SMS sites in your hierarchy.
Note Make sure that you give a minimum of two or three days for the clients to report software inventory. However, more time may be required, depending on your software inventory schedule.

The Transfer Site Settings Wizard is available as part of the SMS 2003 Administration Feature Pack. For additional information about the Transfer Site Settings Wizard, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/sms/bb676767.aspx (http://technet.microsoft.com/en-us/sms/bb676767.aspx)
Manually create the Managed Object Format (MOF) files for these updates. The "MOF files" section contains examples of collection MOF files that you can use to distribute an update. To create a collection to receive the update by importing an MOF file for the update, follow these steps:
1. Start the SMS Administrator Console.
2. Right-click the Collections node, point to All Tasks, click Import Objects, and then click Next.
3. In the text box, type the folder path and the file name of the MOF file that you want to use, or click Browse to locate the file. In this example, type:
  C:\MOFS\MS04-013PatchCollection.MOF
4. Click Next three times, and then click Finish.
  
  The MS04-013PatchCollection collection appears in the Collections node.
The client computers that require the MS04-013 update appear in the MS04-013PatchCollection collection after the .dll file is inventoried on the SMS clients.
Create the package, and then advertise the package to the collection:
1. Right-click Packages, point to All Tasks, and then click Distribute Software.
2. Follow the prompts to complete the wizard.
You can use a report to make sure that the update is installed to the clients. To create a report for the update by importing an MOF file for the update, follow these steps:
1. Start the SMS Administrator Console.
2. Expand the Reporting node.
3. Right-click Reports, point to All Tasks, and then click Import Objects. Click Next.
4. In the text box, type the folder path and the file name of the MOF file, or click Browse to locate the file. In this example, type:
  C:\MOFS\MS04-013PatchReport.MOF
5. Click Next three times, and then click Finish. The MS04-013PatchReport report appears in the Reporting node.
6. Right-click the MS04-013PatchReport report, point to All Tasks, point to Run, and then click the name of your SMS site computer.
This report returns a list of client computers that do not have the MS04-013 update.

Back to the top

MOF files

You can use the following examples to create MOF files to use in step 2 in the "How to distribute security updates that MBSA does not detect" section. You can use these sample scripts for software updates that MBSA does not detect.

Note You must modify the following scripts to reference the update that you want to distribute to your clients. You must change the following information for each update that you want to distribute:

The name of the update--in this example, "MS04-013"
The file name to inventory--in this example, "Inetcomm.dll"
The file version to inventory--in this example, "6.00.3790.137"

Collections MOF sample file

// *********************************************************************************
//
//		Created by SMS Export object wizard
//
//		Monday, June 07, 2004 created
//
//		File Name: MS04-013PatchCollection.MOF
//
// Comments :
//
//
// *********************************************************************************


// ***** Class : SMS_Collection *****
[SecurityVerbs(16359)]
instance of SMS_Collection
{
	CollectionID = "";
	CollectionRules = {
instance of SMS_CollectionRuleQuery
{
	LimitToCollectionID = "";
	QueryExpression = "select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,sys.ResourceDomainORWorkgroup,sys.Client from SMS_G_System_SoftwareFile as swfile inner join SMS_R_System as sys on sys.ResourceId = swfile.ResourceID where swfile.FileName like \"Inetcomm.dll\" and swfile.FileVersion < \"6.00.3790.137\"";
	QueryID = 1;
	RuleName = "MS04-013Query";
}};
	Comment = "This collection obtains all the vulnerable computers that have Inetcomm.dll and version less than 6.00.3790.137";
	CurrentStatus = 0;
	LastChangeTime = "20040607112504.000000+***";
	LastMemberChangeTime = "20040607112202.000000+***";
	LastRefreshTime = "20040607112507.000000+***";
	MemberClassName = "";
	Name = "MS04-013PatchCollection";
	OwnedByThisSite = TRUE;
	RefreshSchedule = {
instance of SMS_ST_RecurInterval
{
	DayDuration = 1;
	DaySpan = 1;
	HourDuration = 0;
	HourSpan = 0;
	IsGMT = FALSE;
	MinuteDuration = 0;
	MinuteSpan = 0;
	StartTime = "20040607112100.000000+***";
}};
	RefreshType = 2;
	ReplicateToSubSites = FALSE;
};
// ***** End *****

Reports MOF sample file

// *********************************************************************************
//
//		Created by SMS Export object wizard
//
//		Monday, June 07, 2004 created
//
//		File Name: MS04-013PatchReport.MOF
//
// Comments :
//
//
// *********************************************************************************


// ***** Class : SMS_Report *****
[SecurityVerbs(140551)]
instance of SMS_Report
{
	Category = "Software Update - Compliance";
	Comment = "This report shows all the vulnerable computers that have Inetcomm.dll with version less than 6.00.3790.137. 
 If the security update is applied successfully, this report should not show any computers.";
	GraphXCol = 1;
	GraphYCol = 2;
	MachineDetail = FALSE;
	MachineSource = FALSE;
	Name = "MS04-013PatchReport";
	NumPrompts = 0;
	RefreshInterval = 0;
	
	SecurityKey = "";
	SQLQuery = "select distinct SYS.Name0,SYS.Operating_System_Name_and0,SYS.Resource_Domain_OR_Workgr0,SYS.User_Name0 from v_R_SYSTEM SYS,v_GS_SoftwareFile SF WHERE SF.ResourceID=SYS.ResourceID and (SF.FileName = 'inetcomm.dll' and SF.FileVersion < '6.00.3790.137')";
	StatusMessageDetailSource = FALSE;
};
// ***** End *****

Back to the top

Update for Microsoft Security Bulletin MS04-028

You can use the sample MOF files in this section to report and build a collection of computers that may be vulnerable to the GDI+ buffer overrun issue even after all the required updates from Microsoft have been deployed. For more information about Microsoft Security Bulletin MS04-028, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx)

For a complete discussion of this issue, see the "Frequently asked questions (FAQ) related to this security update" section of this bulletin, and then find the question “If I use third-party applications that distribute the gdiplus.dll file, could I still be vulnerable even after I have installed all required Microsoft security updates?" After a computer shows up in this collection, you can examine the software inventory to identify full path of the GDIPlus.dll folder to determine which application may have installed the vulnerable version.

Collections MOF sample file

// *********************************************************************************
//
//		Created by SMS Export object wizard
//
//		Tuesday, September 21, 2004 created
//
//		File Name: GDI-Collection.MOF
//
// Comments :
//
//
// *********************************************************************************


// ***** Class : SMS_Collection *****
[SecurityVerbs(16359)]
instance of SMS_Collection
{
	CollectionID = "";
	CollectionRules = {
instance of SMS_CollectionRuleQuery
{
	LimitToCollectionID = "";
	QueryExpression = "select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,sys.ResourceDomainORWorkgroup,sys.Client from SMS_G_System_SoftwareFile as swfile inner join SMS_R_System as sys on sys.ResourceId = swfile.ResourceID where swfile.FileName like \"GDIPLUS.dll\" and swfile.FileVersion < \"5.1.3102.1355\"";
	QueryID = 1;
	RuleName = "GDI Query";
}};
	Comment = "This collection obtains all the vulnerable computers that have GDIPLUS.dll with version less than 5.1.3102.1355";
	CurrentStatus = 0;
	LastChangeTime = "20040921113440.000000+***";
	LastMemberChangeTime = "20040921112924.000000+***";
	LastRefreshTime = "20040921112957.000000+***";
	MemberClassName = "";
	Name = "GDI-Collection";
	OwnedByThisSite = TRUE;
	RefreshSchedule = {
instance of SMS_ST_RecurInterval
{
	DayDuration = 1;
	DaySpan = 0;
	HourDuration = 0;
	HourSpan = 0;
	IsGMT = FALSE;
	MinuteDuration = 0;
	MinuteSpan = 10;
	StartTime = "20040921112600.000000+***";
}};
	RefreshType = 2;
	ReplicateToSubSites = FALSE;
};
// ***** End *****

Reports MOF sample file

// *********************************************************************************
//
//		Created by SMS Export object wizard
//
//		Tuesday, September 21, 2004 created
//
//		File Name: GDI-Report.MOF
//
// Comments :
//
//
// *********************************************************************************


// ***** Class : SMS_Report *****
[SecurityVerbs(9479)]
instance of SMS_Report
{
	Category = "Software Update - Compliance";
	Comment = "This report shows all the vulnerable computers that have GDIPLUS.dll with version less than 5.1.3102.1355.  \n If the security update is applied successfully, this report should not show any computers.";
	GraphCaption = "";
	GraphXCol = 1;
	GraphYCol = 2;
	MachineDetail = FALSE;
	MachineSource = FALSE;
	Name = "GDI-Report";
	NumPrompts = 0;
	RefreshInterval = 0;
	
	SecurityKey = "";
	SQLQuery = "select distinct SYS.Name0,SYS.Operating_System_Name_and0,SYS.Resource_Domain_OR_Workgr0,SYS.User_Name0 from v_R_System SYS,v_GS_SoftwareFile SF WHERE SF.ResourceID=SYS.ResourceID and (SF.FileName = 'GDIPLUS.dll' and SF.FileVersion < '5.1.3102.1355')";
	StatusMessageDetailSource = FALSE;
	XColLabel = "";
	YColLabel = "";
};
// ***** End *****

Back to the top