It is recommended that some Microsoft security bulletin patches be repackaged and retested as part of upgrading to ManageSoft Security Patch Management 7.6. This article explains why, and describes how.
ManageSoft Security Patch Management 7.6 provides some replacement patches for patches supplied with earlier releases of ManageSoft Security Patch Management. The replacement patches extend the support provided by ManageSoft Security Patch Management 7.5 for these bulletins:
- MS04-028
- MS05-009
- MS05-022
When upgrading to ManageSoft Security Patch Management 7.6, ManageSoft Corporation recommends that you repackage and retest these patches if they are used in your enterprise, to make use of the new patches supplied.
ManageSoft Security Patch Management 7.6 also includes patches for the following bulletins that were not supported in earlier releases:
- MS05-004
- MS05-006
If you have previously deployed patches from any of these bulletins in your enterprise, it is recommended that you now take advantage of the patches supplied with ManageSoft Security Patch Management.
ManageSoft Security Patch Management 7.6 uses the three current Microsoft Enterprise Scan Tools to supplement Microsoft Baseline Security Analyzer (MBSA) for performing security analysis.
Some patch names in the bulletins discussed above have been changed. This is necessary to support the new scan tool functionality while keeping backward compatibility with client software from earlier ManageSoft Security Patch Management releases, including those for Windows 9x and NT computers (which do not support the scan tools). The name changes are:
MS04-028
- Patch gdiplus2003.exe replaced by WINDOWS SERVER 2003
- Patch gdiplusXP.exe replaced by WINDOWS XP
- Patch gdiplusIESP1.exe replaced by INTERNET EXPLORER 6
MS05-009
- Patch WindowsMedia9-KB885492-x86-ENU.exe and WindowsMedia9-KB885492-x86-ENU.EXE (same download URL) replaced by WINDOWS MEDIA PLAYER 9 SERIES
- Patch WindowsMedia9-KB885492-x86-FRA.exe and WindowsMedia9-KB885492-x86-FRA.EXE (same download URL) replaced by WINDOWS MEDIA PLAYER 9 SERIES
- Patch WindowsMedia9-KB885492-x86-DEU.exe and WindowsMedia9-KB885492-x86-DEU.EXE (same download URL) replaced by WINDOWS MEDIA PLAYER 9 SERIES
- Patch WindowsMedia9-KB885492-x86-JPN.exe and WindowsMedia9-KB885492-x86-JPN.EXE (same download URL) replaced by WINDOWS MEDIA PLAYER 9 SERIES
MS05-022
- MSNMessenger62.exe replaced by MSN MESSENGER
To make use of the new scan tool functionality, complete the following tasks after you have completed the upgrade process documented in the ManageSoft Security Patch Management Guide:
- Review and update the list of applications you want to patch. Refer to Setting your bulletin preferences in theConfiguration chapter of the ManageSoft Security Patch Management Guide for details.
- Refresh your list of bulletins. This process retrieves the latest mssecure.xsl and the new bulletinupdate.xml files from the ManageSoft website, and adds the scan tool patch information to the database. Refer toUpdating the list of bulletins in the Managing security patches chapter of the ManageSoft Security Patch Management Guide for details.
- Distribute the MBSA package from the software library (it has been modified in this release). Refer to theManageSoft Operations Guide for details about deploying packages from the software library.
- Follow the instructions at Packaging security patches for distribution in the Managing security patcheschapter of the ManageSoft Security Patch Management Guide to package (or repackage) patches for any of the five bulletins listed above that apply to your enterprise.
Remember that you will need to recall any approved bulletins from the production environment before being able to repackage them. Refer to Recalling bulletins from the production environment in the Managing security patches chapter of the ManageSoft Security Patch Management Guide for details.
- Add the new patch packages to policy. Refer to Packaging security patches for distribution in the Managing security patches chapter of the ManageSoft Security Patch Management Guide for details.
- Verify that all packages for the selected bulletins are properly distributed, using the ManageSoft Security Patch Management reports documented in the Reporting chapter of the ManageSoft Security Patch Management Guide.
- Remove packages containing the old patches from policy and the software library. Refer to the MangeSoft Operations Guide for instructions.
Once a bulletin refresh has distributed the latest mssecure.xml to managed devices, security analysis should work as before.
The patch name changes mean that packages using the old names will no longer be installable. ManageSoft Security Patch Management will determine that they are not applicable, and do nothing.
POSSIBLE SHORTCUT
It is strongly recommended that you complete the tasks described above rather than this shortcut. The new packages are backward compatible with ManageSoft Security Patch Management clients from earlier releases, and the ManageSoft Security Patch Management 7.6 client and associated scan tools provide significantly better detection capabilities than MBSA alone.
But if you are not planning to upgrade your ManageSoft Security Patch Management clients to release 7.6 yet, and really want to avoid completing the tasks described above, you can edit the packages containing the old patches (listed above), modifying the PatchName custom property to contain the new patch name in place of the old one. Make sure that any modified packages are redistributed.
Comments