Bugs/Security issues with PatchLink's Update Server
Security Focus,
I have been reporting issues to PatchLink Support for two years now with little
& no resolution on most of the things I find. Because they are such a large
patch management platform I think it is important that they be responsible for
their coding practices. But even trying to work with the company directly,
they are not fixing the issues that have plagued their system for a long time
now, including fundamental flaws in vulnerability detection.
For each entry, I am including my internal tracking number then their ticket
number if one was generated and then a short text about the issue. As an
example:
PatchLink Issue #10 - #8712 - Adding Domain users causes the Status screen to
display unexpected text.
The 10> is my tracking number & #8712 is a ticket with PatchLink Support.
So if you ever needed the e-mail trail, I'd be happy to forward it to you. All
I would need is my tracking number. I've recorded all calls & e-mails in my
tickets.
I am going to add all relevant tickets/issues I have with Update Server. Use
what you deem appropriate. Since this is my first time writing to a
company/forum like this, could you please let me know what happens next to the
information I provide in this e-mail? As an example, where would I go to see
what your company has published?
My company uses:
PLUS (PatchLink Update Server) version: 6.2.0.189
Update Agent version: 6.2.0.181
The PLUS server is joined to a domain.
10> Opened 2004/08/04 - Closed xxxx/xx/xx - #8712 - Adding Domain users
causes the Status screen to display unexpected text.
Note: This issue is about the gibberish that returns when granting domain users
access to the application. When adding more than one person, the wizard does
grant individuals to the incorrect roles/groups to individuals. This wizard
does not work properly. It can grant some users more access than the admin
intended.
30> Opened 2005/01/13 - Closed xxxx/xx/xx - #8716 - How machines appear in
the patched status for the most current service packs as well as previous
service packs.
Note: This issue is the fact that the Update Server application does incorrect
counting. As an example, and this happens for sure with Windows & the Novell
Client, If you had 10 Windows 2000 Professional machines with Service Pack 4, 8
Windows 2000 Professional machines with Service Pack 3, 6 Windows 2000
Professional machines with Service Pack 2 & 4 Windows 2000 Professional
machines with Service Pack 1... you would receive the following report:
Windows 2000 Professional machines with Service Pack 1 = 28 (4 + 6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 2 = 24 (6 + 8 + 10)
Windows 2000 Professional machines with Service Pack 3 = 18 (8 + 10)
Windows 2000 Professional machines with Service Pack 4 = 10 (10)
35> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Security issue,
granting one drop down menu will give all drop down menu with the inventories.
Note: The Inventory section of Update server consists of 4 sub-sections,
Operating Systems, Software, Hardware & Services. Operating Systems is the
default page. In the administration portion of Update Server I can
individually grant & revoke access to these pages to a role. Yet the
application does not work the way it should. If Operating Systems is revoked
but any of the other options are allowed, the end-user will not gain access to
the Inventories section because Operating Systems is always the default.
Additionally, if Operating Systems is allowed and one of the other options,
then access to all 4 will be allowed.
36> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Bug: Missing the option to
grant Mandatory pages to roles.
Note: Within the admin/option portion of the application, the Mandatory page
cannot be granted or revoked from a user. All other pages for a group are
controllable.
40> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: List
applications that ARE installed on a server.
Note: This patch management product cannot display what products ARE installed.
In a comparison with Shavlik's HFNetChk, this product can tell you which
version of MDAC is installed as well as any other product HFNetChk can patch on
the other hand Update Server cannot.
43> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: In the
deploy wizard, use hierarchical grey check boxes.
Note: I thought this one might be useful to add to this list. If it isn't,
disregard it. Many mistakes have & can be made because there are long lists of
patches and each company must be checked in certain situations. I offered this
suggestion as a product enhancement.
44> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add KB832414
(as 823490). This is for MSXML 2.6.
Note: Update Server does not support the latest service pack for MSXML 2.6.
This leads companies to a false sense of security.
45> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Patch Request: Add
KB887606. This is for MSXML 2.6, MSXML 3.0 Service Pack 3 & MSXML 4.0.
Note: This request is to add a hotfix patch.
46> Opened 2005/02/25 - Closed xxxx/xx/xx - # - Product Enhancement: Have a
logout feature.
Note: This product does not have a log out feature. As an example, If two
sessions of Internet Explorer are open, one to the PLUS server & another to
www.msn.com. Then if the user closes the window to the PLUS server & leave the
workstation un-locked. A second user can walk up Press CTRL-N on the
www.msn.com window and gain access to the PLUS server if they type the URL in
the browser's address bar.
47> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Why doesn't
Adobe Acrobat and patches uninstall when I choose that option in the baseline?
Note: The PLUS server cannot uninstall Adobe Acrobat even though it is an
option on the patch.
49> Opened 2005/07/07 - Closed xxxx/xx/xx - #100-09-000046 - Tim & I
believe that MS04-030 has a PatchLink pop-up that can be removed for Win2k and
possibly WinXP.
Note: This patch does not act silently when the option to do so is set. I have
been un able to test this patch for a long time now.
51> Opened 2005/10/26 - Closed xxxx/xx/xx - #001-00-006110 - 'Novell
2971589 Novell Client 4.91 Update 'A'' is automatically restarting workstations
and the re are no event logs of the install.
Note: The deployment of this patch automatically restarts clients when the
option to not do so is set. Additionally it seems that the Novell Patch does
not add any events to the Application Event Log.
52> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006346 - SQL Server
Desktop Engine (MSDE) 2000 SP4 not detected for all SQL installations (total
missing = 7).
Note: Update Server has absolutely no way of detecting non-default
installations of MSDE & SQL Server. This leads to a false sense of security
especially if this is your only patch management solution. Additionally
PatchLink do not publish this limitation to the public.
53> Opened 2005/11/02 - Closed xxxx/xx/xx - #001-00-006347 - HFNetChkPro
detects that MDAC 2.8 SP1 is needed for JMCGUIRE. Update Server says it is
installed.
Note: Update Server cannot correctly detect the need to install this patch. I
had a machine that had MDAC 2.8 SP1 but somehow one or two files that were
replaced by older versions. HFNetChk detected this situation but Update Server
said the machine was patched.
55> Opened 2005/11/03 - Closed xxxx/xx/xx - #001-00-007183 - Feature
Enhancement: Add 'Idle' & 'Working' to "Computers" "Status" drop-down.
Note: I consider this a bug. In the Computers section, 5 options are allowed
in the "Status" drop down (--- All *-, Enabled, Sleeping, Offline, Disabled).
Yet in the Status column which this associates with there are 5 possibilities
(Idle, Offline, Working, Sleeping & Disabled).
57> Opened 2005/11/08 - Closed xxxx/xx/xx - #001-00-006499 - Outlook 2003
Junk E-mail Filter Update KB906173 (October 2005) is being offered to machines
that have Outlook 2003 installed. While, Windows/Microsoft Update offers this
patch to any machine with Office 2003 installations that do not have Outlook
2003 installed.
Note: I don't know why PatchLink as a company wouldn't add this patch or mimic
the way Microsoft detects it with Windows update or Microsoft Update. they
have refused to add this. I am quite positive that it is due to the
fundamental flaws with the detection engine Update Server uses. I also assume
that If Office 2003 is installed on a machine without Outlook,
Windows/Microsoft Update will still install the patch in anticipation of
Outlook being added (or something like that).
58> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007041 - Product
Enhancement: Add sorting by red R & green C column.
Note: I consider this a bug. All other columns are sortable, why not this one.
I use it all the time to try to differentiate between machines that need a
restart & those that don't.
60> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007186 - Request
Microsoft XML Parser (MSXML) 2.6 SP3 to be added to the database.
Note: PatchLink seems to no longer be supporting a product they already
support. They do not offer the latest service pack for this application. They
do offer prior service packs. This can lead companies into a false sense of
security.
61> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007042 - BUG: When
hovering over a machine's icon while in a Mandatory Baseline for a User created
group when a assigned patch has been expanded, the date & time of the last
connection are not available.
Note: This is a self-explanatory bug.
62> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007073 - Typo: Extra
space in MS05-031 text string
Note: The text for all patches but this one are exactly the same if you viewed
from a web page OR from the Export of a mandatory baseline. I use the Exports
to show configuration changes. But when I use an exported spreadsheet & I copy
a cell with a patch name and the paste it into the find window box of Internet
Explorer when I am in the section to add or remove patches from a baseline...
the pasted text does not match the name in the list. This is not an Internet
Explorer issue because the extra space is in the middle of the text. PatchLink
Support is refusing to add a (Rev 2) to this patch like they have done with
other patches.
63> Opened 2005/11/29 - Closed xxxx/xx/xx - #001-00-007074 - Issue with
MPSB05-07 Flash Player 7 patch & Update Servers' deployment
Note: This is a really big issue I have with PatchLink as a company. When this
patch came out
(http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html)
PatchLink as a company decided to not offer the patch that fixed this
situation. Macromedia offers this patch as well
(http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33).
Instead PatchLink packaged Macromedia's Flash Player 8 as the patch that fixed
Flash Player 7. They did note this in their Description. But if you install
their patch, vulnerable files still exist on the client that was "patched". It
is impossible to patch the vulnerable Flash Player 7 files using Update Server.
I have issues because they made a decision to patch a product with a new
version of the application. I have issues with PatchLink because this issue
was raised to them and they have done nothing about this. I have issues with
their naming scheme because the patch name suggests that it will patch Flash
Player 7 when it doesn't do this at all. Note: In prior upgrades of Flash Play
the old version was removed. When Flash Player 8 came out, this no longer
happened.
64> Opened 2005/12/16 - Closed xxxx/xx/xx - #001-00-007528 - Trying to
figure out why SQL Server patches are reported as missing
Note: From PatchLink: This is a known issue. A missing registry key produces a
false negative.
Well there you have it. I hope that these qualify as bugs & security
vulnerabilities that can benefit bugtraq. So as I asked before, could you let
me know what is going to happen to this information now that you have it?
Could you give me a URL that shows me where this information went to?
Regards,
Brian Boner
Sr. Systems Administrator
TBG Financial