Fake patches in KBOX?
I've noticed two patches in KBOX over the last 24 hours, which don't look right.
Their "created by" fields show "WIN-NX1BQRB85Z6Administr" instead of the usual "PatchLink Corp.". Also they reference old KB articles of patches previosuly released yet those two are dated April 2013. Their titles are also questionable "MS12-078 2753842 (EnglishMUI) Security Update for Windows XP" and "MS13-015 2789642 Security Update for Microsoft .NET Framework 4.0 (All Languages)". Their don't specify the exact Windows versions they apply to, but simply say "Win x86".
I have opened a ticket with KACE when I was the first one yesterday, but they have yet to look into this in detail. I called them this morning when the second one appeared.
Just wanted to share this with you since these are wierd looking and most of us are ready to deploy this month's patches. We might get tricked into pushing these if we aren't too careful.
04/17/2013 KACE Updates ticket:
Good morning, engineering currently has two open tickets with Lumension (3rd party used for patching) for these particular patches. Please see below.
MS13-015 2789642 [Lumension Ticket ID TS0052950] created on 04/08/13, priority high
MS12-078 2753842 [Lumension Ticket ID TS0053184] created on 04/11/13, priority high
No news from KACE and Lumension yet.
I'm seeing a 3rd such update.
This one is somewhat believable as it's specifying the OSes it applies to. However, the naming and the "created by" fields are still not as they should be.
Unfortunately it was grabbed by one of my smart labels and therefore automatically activated and ready to push. I have inactivated it.
04/22/2013 KACE Updates ticket:
No, the tickets with Lumension are still currently open. I will follow up with you as soon as they have been closed or there has been a change of any kind.
Have a wonderful Monday!
04/24/2013 KACE Updates ticket:
Good morning, I just verified that the tickets that were open with Lumension have been closed. Would you like for me to go ahead and archive your ticket for you now that the issue has been resolved?
04/25/2013 KACE Updates ticket:
Good morning, unfortunately I don't not have access to the information you're requesting. I'll have to create an additional ticket with the L3 team who may have to create a ticket with Lumension requesting this info.
If you would still like this data, please let me know and I'll get the process started for you?
Have a great Thursday!
04/25/2013 I update the ticket asking for more info:
I still need to know:
- if these patches are released by Lumension
- if so, why are they releasing patches that were previously addressed
- if not, how did these patches appear in KBOX
Unfortunately the mere fact that a ticket was opened with Lumension and then closed, gives me nothing to work with.
04/25/2013 : Here's the response KACE had about these patches.
Good morning, I received a response from engineering this morning. Please see answers provided below, if these do not answer your questions please let me know.
1. Were these patches released by Lumenson? Yes these patches were released by Lumension.
2. If so, why are they releasing patches that have already been released in the past? There was an issue with detection of these patches.
TS0052950 - Detection Issue: MS13-015 security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: February 12, 2013 (KB2789642)
TS0053184 - Detection Issue: KB2753842 - MS12-078 - Description of the security update for the Windows OpenType Compact Font Format (CFF) driver: December 11, 2012
There was some detection of the patch, so Lumension had to fix the issue and re-post the patches to get the fix in.
Please let me know if these answers were able to answer your questions and I'll archive the ticket for you.