SMS: SUSFP detects that MS08-062 patches are needed even though IIS is not installed on target machine

Here's another issue you may want to be aware of if you're still using the old SUSFP scan engine to detect updates.  This one is from Clifton Hughes in our Las Colinas, Texas office:


Issue: In SMS 2003, if you are using SUSFP you may experience issues with the MS08-062 patch related to IIS and Internet Printing.  The SUSFP for SMS 2003 seems to detect that this update is "applicable" on all computers when in reality it is only applicable where IIS is installed.  ITMU and MBSA 2.1 correctly report this update as being applicable only if IIS is installed.

Cause: This is expected behavior and is a limitation of the legacy scan engine used by SMS 2.0 and SMS 2003.  The legacy scanner looks only for the potentially vulnerable files.  If found, it considers the machine vulnerable and offers the update.  The Microsoft Update-based technology used with SMS 2003 ITMU and Configuration Manager 2007 is more specific and in this case more accurate: If the vulnerable bits are present AND IIS is enabled, the system will be flagged as vulnerable.

Resolution: To avoid this issue you should move to the latest scan technologies provided by SMS which will resolve this problem. ITMU with SMS 2003, and/or System Center Configuration Manager 2007 do not suffer from this limitation.


Thanks Clifton!

J.C. Hornbeck | Manageability Knowledge Engineer