In keeping with my previous post here's another situation where a patch for a vulnerable Microsoft product can't and won't automatically be applied. Similar to MSXML 4.0 SP2, this occurs with older software with publicly available exploits already written. This scenario, once again, comes to us thanks to our trusty vulnerability management system - however this time it's a very specific scenario that will only occur in enterprises.

In short MS09-043[1] for Office Web Components (OWC) for Office 2007 won't deploy correctly on systems that use SCCM 2007 for deployment due to problems with the Microsoft Update Catalog[2].

This story begins with an anomaly detected by a Vulnerability Management System. MS09-043 was released in August 2009, and covered a number of products including Office XP and 2003, ISA Server, and the more obscure Microsoft Office 2003 Web Components for the 2007 Microsoft Office System. MS09-043 patches a vulnerability in OWC that has publicly available exploits that are included in Metasploit, CANVAS, and Core Impact.

What is Office Web Components?###

Wikipedia provides the following information on OWC:

Office Web Components (OWC) are a group of Object Linking and Embedding (OLE) components available in Office 2000, XP and 2003. These ActiveX Controls can be plugged into web pages, Visual Basic and Visual Basic for Applications (VBA) forms, Windows Forms or programmed in-memory.[3]

In it's simplest form OWC is an ActiveX component that you're likely to find on Windows Machines. Office 2007 and above don't include OWC any more and the weirdly named Microsoft Office 2003 Web Components for the 2007 Microsoft Office System is the last supported version released by Microsoft.

What caused the issue?###

In this instance the Vulnerability Management System was showing a vulnerability relating to MS09-043, however the automated patching tools were showing that MS09-043 wasn't required.

The investigation found that SCCM relies on the Microsoft Update Catalog to determine if an update has been superseded. It makes sense that if a patch has been superseded it can be ignored and just the newer patch applied. In this instance there is an error with the supersedence and SCCM believes that Microsoft Office Access Runtime and Data Connectivity 2007 Service Pack 3 (SP3)[4] supersedes the MS09-043 patch of KB947318[5].

Image of catalog entry for Microsoft Office Access Runtime and Data Connectivity 2007 Service Pack 3 (SP3)

If you only have OWC 2003 for 2007 Office System installed without Office 2003 or 2007 the Office Access Runtime and Data Connectivity 2007 SP3 won't install. The reason it won't install is that the installer can't detect any installed versions of Access or Microsoft's Data Connectivity tools as part of it's prerequisite checks. This scenario is most likely when you've your version of Office is 2010 (or newer) but you still have legacy applications needing OWC).

If you examine the contents of the Office Access Runtime and Data Connectivity 2007 SP3 package the updated OWC dll files are included, they just never get a chance to install.

I've created a case with Microsoft and asked that they either:

  • Fix the supersedence issue in the Microsoft Update Catalog.
  • Update the Office Access Runtime and Data Connectivity SP3 package to detect and update OWC.

Unfortunately neither of these will be occurring due to the age of the Office Suite in question and a workaround in SCCM 2012 being available. This is despite OWC 2003 for 2007 systems being in extended support until 2017[6] and SCCM 2007 R3 being in extended support until 2019[7].

Mitigation###

If you're using SCCM 2007 Microsoft recommended one of the following to mitigate the problem:

  • Manually deploy KB947318 as a package.
  • Enable your clients to install updates from your WSUS instance as well as SCCM.
  • Upgrade to SCCM 2012 and use the new supersedence rules.

1 - https://technet.microsoft.com/en-us/security/bulletin/MS09-043

2 - https://catalog.update.microsoft.com - best viewed with Internet Explorer due to Active-X requirements

3 - http://en.wikipedia.org/wiki/Office\_Web\_Components#Office\_Web\_Components which is released under the [Creative Commons Attribution-Share-Alike License 3.0](http://creativecommons.org/licenses/by-sa/3.0/)

4 - http://support.microsoft.com/kb/2526310

5 - https://support.microsoft.com/kb/947318

6 - http://support.microsoft.com/kb/972129

7 - http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=System%20Center%20Configuration%20Manager&Filter=FilterNO