eEye Digital Security

 I have been reading other posts that deal with these active X OCX files and how 3rd party vendor are supposed to patch them.

From my research, there is some discussion about msmask32.ocx version 6.0.84.18 not being vulnerable, but still flagging by a Retina scan.  Can you please verify vulnerable or not vulnerable?

My issue seams to deal with any workstation with ARC GIS loaded.  ESRI released a patch that took care of 5 of the 6 OCX files, but I still get this one in a scan.

Can you provide more info about ARC GIS? Who/what/hyperlinks/etc ?

You're right that the Microsoft patch only patches Microsoft products. Our audit checks for ANY vulnerable version of these OCX files, Microsoft or not related since the system could be vulnerable in either case.

I know some software vendors have done lots of research and decided to not update the file, but instead clarify that their software doesnt use the "vulnerable" piece of code in the file. This triggers a difference in mind set...  3rd party software vendor says your not vulnerable because they dont use that bad part of the code, but a vulnerable OCX file still exists leaving potential for something to happen.  Make sense?

If you provide info about what this software is and what it does and so forth, we might be able to make some changes, but truly if the vulnerable file still exists in most security folks minds, its still a vulnerable system.

 This is the company's main site

http://www.esri.com/

There are links on the site that talk about GIS.  GIS is a type of mapping software.  When asked about the OCX files this is what they had to say.

Microsoft has informed ESRI that eEye has acknowledged the security vulnerabilities to be the result of a software defect (false positives) in their Retna Security Network Scanner.  While eEye has resolved most of these issues by updating and making available new signature files, there is one issue that eEye acknowledges will not be addressed until they release a software patch currently scheduled for the 3rd week in July 2009. 

Nice of them to blame you, but are you aware of any discussion that took place with ESRI?  Its way past July and I still get these OCX files that pop up.

I'm not aware of that conversation. I know the audit for you that is triggering was last updated 8/26/2009. I know as new versions of that file come out, we sometimes have to update our regex. That aside, if GIS's software is installing a vulnerable version then thats an issue they need to assess and address / resolve.

What software from them do you have installed? If I can get a demo copy, I can install on a clean VM image and confirm they installed it.

 It is the GIS software.  You can find out more from the link.  I don't know that much about it, so that is about as much information as I can give you.