I have a customer that is following the compliance status of their computer for MS12-060 in details (as this vulnerability as a high priority in their environment) and yesterday they got back to find out that the compliance status had dropped by about 50% over the week-end.
Looking into the Applicable and Installed update tables they could see that the KB2687441 was on both, so the update was installed and the computer compliant, so why would it show up as not compliant on their report?
We had a remote session this morning and found out the following element:
- MS12-060 updates were effectively compliant
- comctl.ocx update applicable were now from:
- KB2687441 (MS12-060)
- KB2598041 (MS12-027, superseded by MS12-060)
- KB2687493 (not associated with any bulletin from the Microsoft site)
- KB2687493 was not on the installed table
- KB2687493 was not in the MS12-060 bulletin from Microsoft
- KB2687493 was associated with MS12-060 in Patch Management
- KB2687493 was associated with MSWU-732
- MSWU-732 had no Software Update Policy enabled
- MS12-060 policy did not contain any update for KB2687493
- The Patch Assessment Scan does not check this vulnerability and as such cannot report if it is installed or not (by KB).
So, it looks like KB2687493 is incorrectly associated with MS12-060 causing the compliance status to go right out of line.
As a temporary solution we delete the ResourceAssociation that linked KB2687493 to MS12-060. This allowed the customer to run their report and find that the compliance was still on the up (close to 95% now)!