microsoftHappy Patch Tuesday!

The much anticipated patch for CVE-2013-3893 is set to be patched with KB 2879017. This KB is marked as Critical / PATCH NOW. So I thought it was apropos to show you how we verify that all of our systems are patched appropriately. Especially for these types of patches.

A while back, I had written about my waucheck.ps1 Powershell script that I wrote that will scan your domain and check for a KB hotfix using the WMIC QuickFixEngineering (QFE). With the recent beta release of PoshSec Framework I have updated this script to interact with the interface. You can download the most recent build on our Github page.

To launch the script, you can double click, or right click and select Run Script, on the waucheck.ps1 script.

This will open the dialog window asking for the parameters (options). The most exciting option is the “ShowInTab” option. This will take your results and put them in a nice tab for you to export to XML, CSV, or Tab Delimited TXT. Fill in the parameters and click Run.

You can see the progress of the scan on the Active Scripts tab. For security reasons, I have all of the PCs named “hidden”.

Once the scan is complete, you will see a new tab labelled Windows KB (2879017) Results. You can then reference this list or export it to xml, csv, or txt and use it where needed.

One thing I found out is that if you get RPC_Error it could be that the machine is no longer on your domain, not turned on, or their GPO is not set correctly. To check this go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile  and set WindowsFirewall: Allow inbound remote administration exception to Enabled.

I hope that the PoshSec Framework and the waucheck.ps1 can help you ensure that this 0Day issue is patched appropriately on your domain. Please feel free to leave any comments, suggestions, or constructive feedback on our Github page or in the comments below.

Happy Patch Tuesday and Reboot Wednesday everyone!

Share →