<<< Date Index >>>     <<< Thread Index >>>

Bugs/Security issues with PatchLink's Update Server



Security Focus,

I have been reporting issues to PatchLink Support for two years now with little 
& no resolution on most of the things I find.  Because they are such a large 
patch management platform I think it is important that they be responsible for 
their coding practices.  But even trying to work with the company directly, 
they are not fixing the issues that have plagued their system for a long time 
now, including fundamental flaws in vulnerability detection.
For each entry, I am including my internal tracking number then their ticket 
number if one was generated and then a short text about the issue.  As an 
example:
PatchLink Issue #10 - #8712 - Adding Domain users causes the Status screen to 
display unexpected text.
The 10> is my tracking number & #8712 is a ticket with PatchLink Support.
So if you ever needed the e-mail trail, I'd be happy to forward it to you.  All 
I would need is my tracking number.  I've recorded all calls & e-mails in my 
tickets.

I am going to add all relevant tickets/issues I have with Update Server.  Use 
what you deem appropriate.  Since this is my first time writing to a 
company/forum like this, could you please let me know what happens next to the 
information I provide in this e-mail?  As an example, where would I go to see 
what your company has published?

My company uses:
PLUS (PatchLink Update Server) version: 6.2.0.189
Update Agent version: 6.2.0.181
The PLUS server is joined to a domain.

10>     Opened 2004/08/04 - Closed xxxx/xx/xx - #8712 - Adding Domain users 
causes the Status screen to display unexpected text.
Note: This issue is about the gibberish that returns when granting domain users 
access to the application.  When adding more than one person, the wizard does 
grant individuals to the incorrect roles/groups to individuals.  This wizard 
does not work properly.  It can grant some users more access than the admin 
intended.

30>     Opened 2005/01/13 - Closed xxxx/xx/xx - #8716 - How machines appear in 
the patched status for the most current service packs as well as previous 
service packs.
Note: This issue is the fact that the Update Server application does incorrect 
counting.  As an example, and this happens for sure with Windows & the Novell 
Client, If you had 10 Windows 2000 Professional machines with Service Pack 4, 8 
Windows 2000 Professional machines with Service Pack 3, 6 Windows 2000 
Professional machines with Service Pack 2 & 4 Windows 2000 Professional 
machines with Service Pack 1... you would receive the following report:
Windows 2000 Professional machines with Service Pack 1 = 28 (4 + 6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 2 = 24 (6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 3 = 18 (8 + 10)
Windows 2000 Professional machines with Service Pack 4 = 10 (10)

35>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Security issue, 
granting one drop down menu will give all drop down menu with the inventories.
Note: The Inventory section of Update server consists of 4 sub-sections, 
Operating Systems, Software, Hardware & Services.  Operating Systems is the 
default page.  In the administration portion of Update Server I can 
individually grant & revoke access to these pages to a role.  Yet the 
application does not work the way it should.  If Operating Systems is revoked 
but any of the other options are allowed, the end-user will not gain access to 
the Inventories section because Operating Systems is always the default.  
Additionally, if Operating Systems is allowed and one of the other options, 
then access to all 4 will be allowed.

36>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Missing the option to 
grant Mandatory pages to roles.
Note: Within the admin/option portion of the application, the Mandatory page 
cannot be granted or revoked from a user.  All other pages for a group are 
controllable.

40>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: List 
applications that ARE installed on a server.
Note: This patch management product cannot display what products ARE installed. 
 In a comparison with Shavlik's HFNetChk, this product can tell you which 
version of MDAC is installed as well as any other product HFNetChk can patch on 
the other hand Update Server cannot.

43>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: In the 
deploy wizard, use hierarchical grey check boxes.
Note: I thought this one might be useful to add to this list.  If it isn't, 
disregard it.  Many mistakes have & can be made because there are long lists of 
patches and each company must be checked in certain situations.  I offered this 
suggestion as a product enhancement.

44>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB832414 
(as 823490).  This is for MSXML 2.6.
Note: Update Server does not support the latest service pack for MSXML 2.6.  
This leads companies to a false sense of security.

45>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add 
KB887606.  This is for MSXML 2.6, MSXML 3.0 Service Pack 3 & MSXML 4.0.
Note: This request is to add a hotfix patch.

46>     Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: Have a 
logout feature.
Note: This product does not have a log out feature.  As an example, If two 
sessions of Internet Explorer are open, one to the PLUS server & another to 
www.msn.com. Then if the user closes the window to the PLUS server & leave the 
workstation un-locked.  A second user can walk up Press CTRL-N on the 
www.msn.com window and gain access to the PLUS server if they type the URL in 
the browser's address bar.

47>     Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Why doesn't 
Adobe Acrobat and patches uninstall when I choose that option in the baseline?
Note: The PLUS server cannot uninstall Adobe Acrobat even though it is an 
option on the patch.

49>     Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Tim & I 
believe that MS04-030 has a PatchLink pop-up that can be removed for Win2k and 
possibly WinXP.
Note: This patch does not act silently when the option to do so is set.  I have 
been un able to test this patch for a long time now.

51>     Opened 2005/10/26 - Closed xxxx/xx/xx - #001-00-006110 - 'Novell 
2971589 Novell Client 4.91 Update 'A'' is automatically restarting workstations 
and the re are no event logs of the install.
Note: The deployment of this patch automatically restarts clients when the 
option to not do so is set.  Additionally it seems that the Novell Patch does 
not add any events to the Application Event Log.

52>     Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006346 - SQL Server 
Desktop Engine (MSDE) 2000 SP4 not detected for all SQL installations (total 
missing = 7).
Note: Update Server has absolutely no way of detecting non-default 
installations of MSDE & SQL Server.  This leads to a false sense of security 
especially if this is your only patch management solution.  Additionally 
PatchLink do not publish this limitation to the public.

53>     Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006347 - HFNetChkPro 
detects that MDAC 2.8 SP1 is needed for JMCGUIRE.  Update Server says it is 
installed.
Note: Update Server cannot correctly detect the need to install this patch.  I 
had a machine that had MDAC 2.8 SP1 but somehow one or two files that were 
replaced by older versions.  HFNetChk detected this situation but Update Server 
said the machine was patched.

55>     Opened 2005/11/03 - Closed xxxx/xx/xx - #001-00-007183 - Feature 
Enhancement: Add  'Idle' & 'Working' to "Computers" "Status" drop-down.
Note: I consider this a bug.  In the Computers section, 5 options are allowed 
in the "Status" drop down (--- All *-, Enabled, Sleeping, Offline, Disabled).  
Yet in the Status column which this associates with there are 5 possibilities 
(Idle, Offline, Working, Sleeping & Disabled).

57>     Opened 2005/11/08 - Closed xxxx/xx/xx - #001-00-006499 - Outlook 2003 
Junk E-mail Filter Update KB906173 (October 2005) is being offered to machines 
that have Outlook 2003 installed.  While, Windows/Microsoft Update offers this 
patch to any machine with Office 2003 installations that do not have Outlook 
2003 installed.
Note: I don't know why PatchLink as  a company wouldn't add this patch or mimic 
the way Microsoft detects it with Windows update or Microsoft Update.  they 
have refused to add this.  I am quite positive that it is due to the 
fundamental flaws with the detection engine Update Server uses.  I also assume 
that If Office 2003 is installed on a machine without Outlook, 
Windows/Microsoft Update will still install the patch in anticipation of 
Outlook being added (or something like that).

58>     Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007041 - Product 
Enhancement: Add sorting by red R & green C column.
Note: I consider this a bug.  All other columns are sortable, why not this one. 
 I use it all the time to try to differentiate between machines that need a 
restart & those that don't.

60>     Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007186 - Request 
Microsoft XML Parser (MSXML) 2.6 SP3 to be added to the database.
Note: PatchLink seems to no longer be supporting a product they already 
support.  They do not offer the latest service pack for this application.  They 
do offer prior service packs.  This can lead companies into a false sense of 
security.

61>     Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007042 - BUG: When 
hovering over a machine's icon while in a Mandatory Baseline for a User created 
group when a assigned patch has been expanded, the date & time of the last 
connection are not available.
Note: This is a self-explanatory bug.

62>     Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007073 - Typo: Extra 
space in MS05-031 text string
Note: The text for all patches but this one are exactly the same if you viewed 
from a web page OR from the Export of a mandatory baseline.  I use the Exports 
to show configuration changes.  But when I use an exported spreadsheet & I copy 
a cell with a patch name and the paste it into the find window box of Internet 
Explorer when I am in the section to add or remove patches from a baseline... 
the pasted text does not match the name in the list.  This is not an Internet 
Explorer issue because the extra space is in the middle of the text.  PatchLink 
Support is refusing to add a (Rev 2) to this patch like they have done with 
other patches.

63>     Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007074 - Issue with 
MPSB05-07 Flash Player 7 patch & Update Servers' deployment
Note: This is a really big issue I have with PatchLink as a company.  When this 
patch came out 
(http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html) 
PatchLink as a company decided to not offer the patch that fixed this 
situation.  Macromedia offers this patch as well 
(http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33).  
Instead PatchLink packaged Macromedia's Flash Player 8 as the patch that fixed 
Flash Player 7.  They did note this in their Description.  But if you install 
their patch, vulnerable files still exist on the client that was "patched".  It 
is impossible to patch the vulnerable Flash Player 7 files using Update Server. 
 I have issues because they made a decision to patch a product with a new 
version of the application.  I have issues with PatchLink because this issue 
was raised to them and they have done nothing about this.  I have issues with 
their naming scheme because the patch name suggests that it will patch Flash 
Player 7 when it doesn't do this at all.  Note: In prior upgrades of Flash Play 
the old version was removed.  When Flash Player 8 came out, this no longer 
happened.

64>     Opened 2005/12/16 - Closed xxxx/xx/xx - #001-00-007528 - Trying to 
figure out why SQL Server patches are reported as missing
Note: From PatchLink: This is a known issue.  A missing registry key produces a 
false negative.

Well there you have it.  I hope that these qualify as bugs & security 
vulnerabilities that can benefit bugtraq.  So as I asked before, could you let 
me know what is going to happen to this information now that you have it?  
Could you give me a URL that shows me where this information went to?


Regards,
Brian Boner
Sr. Systems Administrator
TBG Financial