eEye Digital Security

I recently installed Windows XP & Office XP on a brand new disk.  I installed the service packs in chronological order.  Next, I went to Microsoft Update and applied all critical patches.  Microsoft Update reported NO critical updates.  Windows XP SP3 & Office XP SP3.

Next, I installed Blink Personal, then updated the software & virus definitions.   I ran a Vulnerability Assessment and it reported the following 3 critical updates needed to be applied:

Microsoft Office One Note URI Remote Code Execution (955047) - Office XP

Microsoft Office Remote Code Execution (949030) - Office XP

Microsoft Office Remote Code Execution (934873) - Office XP

I checked the links to the Microsoft Bulletins to determine whether the updates may have already been applied in some kind of roll-out or cumulative update.  Although the Microsoft Bulletines did not mention any roll-out or cumulative updates that superceded the bulletins, I was able to find the files updated in the file information sections.

 My current systems (Windows XP SP3, Microsoft Office XP SP3) reports:

mso.dll     10.0.6856.0     9/04/09     9811792

ietag.dll     10.0.6731.0     9/04/09     105152

According the Microsoft Bulletins:

Microsoft Office One Note URI Remote Code Execution (955047) - Office XP per http://support.microsoft.com/default.aspx?scid=95507

mso.dll     10.0.6845.0     6/11/08     9819136

ietag.dll     10.0.6731.0     6/11/08      105152

Microsoft Office Remote Code Execution (949030) - Office XP per www.microsoft.com/technet/security/bulletin/ms08-016.mspx

mso.dll     10.0.6839.0     10/30/07     9819136

ietag.dll     10.0.6731     9/10/04     105152

Microsoft Office Remote Code Execution (934873) - Office XP per www.microsoft.com/technet/security/bulletin/ms07-025.mspx

mso.dll     10.0.6830.0     3/26/07     9819480

As you see, I have the most recent versons and most recent dated files even though I did not apply any of the 3 Microsoft Updates.  While I don't know exactly what Micosoft patch(es)/update(s) are responsible, I do know that my system is completely patched and Vulnerability Assessment incorrectly tells me to apply patches that apply older and obsolete versions of my current files.

Please review my post to confirm that the aforementioned 3 critical update warnings in Vulnerability Assessment is really a false positive.

Again thank you for Blink Personal, it's really a great piece of software.

Thanks in advance.

Brian,

     Do you know what Retina is looking for, for this audit?

 Can you confirm if this regkey exists?

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Patches\5680DFD9F0E474947AD7345D78285AF7

Also in add/remove programs (if you show the windows updates), do you see a patch for the MS08-016 patch?

I have checked for the registry entry, but I do NOT want to post the results here.  Unless you tell me exactly what this reg key is meant to indicate, I don't want to risk letting the entire internet know whether my computer has this registry or NOT.  If it means that my computer is NOT secure, than I don't want to advertise to every hacker on the internet.

I would prefer if you left a secure e-mail address where I could contact you with the results of my inquire (whether the reg key you indicated is present or NOT on my computer).

As to the Add/Remove Programs, Microsoft's patches are NOT displayed using the MSXX-XXX convention used in the Security Bulletins.  Rather Microsoft lists the patches as KBXXXXXX.  I was VERY SPECIFIC in my initial post, so you should be able to determine the patch name using the KBXXXXXX convention that Microsoft uses in Add/Remove Programs.  As it stands, I don't know what KB numbered patch you want me to look for.  Please research the correct KB number for the patch, and I will let you know via any secure e-mail address that you would prefer.  Please send me the e-mail address to continue corresponding with Eeyes.

If you fail to post an e-mail address, then I'm afraid this thread is going to die, because I will NOT post the information on a public forum, where hackers may read it and try to hack my computer.

As I mentioned in my first post, Microsoft Update says that I have applied ALL patches and that my system is secure.  Also, my versions of the files updated by the patches is MORE CURRENT than the versions described in Microsoft's Security Bulletins (see my first post).

Thank in advance.

I look forward continuing this correspondence via secure e-mail.

Check Add/Remove Programs for the following Microsoft patches:

KB955047

KB949030

KB934873

Also, are you using Retina or Blink when you see these audits?

bpatten:

Check Add/Remove Programs for the following Microsoft patches:

KB955047

KB949030

KB934873

Also, are you using Retina or Blink when you see these audits?

You would NOT have to ask those questions if you read my original post.

Read my original post again.

I said that I installed Blink Personal.

I said I did NOT install any of the three Microsoft patches.

Why do I have to repeat myself?

That's why I was unsure what KB numbers to look for.  Surely you didn't mean the three KB patches that I already mentioned in my original post, I thought to myself.  But you did ...

BTW, how about a secure e-mail address so I can report my findings on the registry entry???

Or maybe you failed to read that part of my last post, even though I mentioned it multiple time.

I will await whatever response you deem to bestow upon me.

You can email your results along with a link to this post (as a point reference) to bpatten@eeye.com .

Blue1978:

You can email your results along with a link to this post (as a point reference) to bpatten@eeye.com .

Thanks Blue.

Have a great day!

I have sent an e-mail answering bpatten's inquiry about the windows registry.

Since all questions have been answered, I am anxious to find out which is correct Microsoft Update (which says my system IS secure) or Blink Vulnerability Assessment (which says my system is NOT secure).

I have asked bpatten to let me know the significance of the registry entry (or lack thereof), and whether my system is secure or unsecure.  Microsoft Update is telling me that my system is secure, Blink Vulnerability Assessment is telling me my system is NOT secure.  Both can't be right, one of them is wrong.

The results should either help Eeyes troubleshoot Vulnerability Assessment or help Eeyes to inform Microsoft of a hole in Microsoft Update.

I await the results.

Alright, good to know.  Hopefully Brian responds to you soon, him and Nicula are really busy folks. :)

Thanks Blue, I hope to hear back from someone at Eeyes.

They might think this is a joke, because they are working on Windows 7 compatibility, rather than concentrating on "old" software like Windows XP and Office XP.  But the fact is Windows XP accounts for over 70% of the total market share for operating systems.  Windows 7 has only a little over 2% of the total market share.  Vista is currently at a little over 18% of the total market share.   Vista NEVER replaced XP, and there's no reason to believe Windows 7 will replace XP until Microsoft stops releasing security patches for Windows XP.  Here is the pie chart for market share:

 http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10

Office XP is still # 1 deployed version of Microsoft Office according to Forrester Research.  According to the survey, 60% of the companies still deployed Office XP.  Compare that to the latest version of Microsoft Office - Office 2007, which was deployed in 43% of the companies.  Here is the pie chart for deployment of Microsoft Office.

http://www.microsoft-watch.com/content/business_applications/office_2007_is_inevitable.html

The point I am making is that although it may seem that responding to a thread on Office XP running on Windows XP is irrelevant, because Windows 7 and Office 2007 have superseded both software ... the majority of users are still, in fact, running Windows XP and Office XP.  And there is no reason to believe this will not continue, at least in the short-term.

So if Eeyes ever wants to succeed in winning over people and attracting new customers, they should seriously consider concentrating on what most customers currently own (Windows XP & Office XP), not on the newest software available (Windows 7, Office 2007).  Windows 7 maybe the eventual future, but that's what they were saying when Vista arrived.  Windows XP is proven and does everything that you would ever want to do.   The exact same thing could be said about Office XP.  That's why users have stayed with Windows XP and Office XP.

I hope this clears up why I think it was important enough to report the false positive in the first place.

Hopefully Eeyes can make time for this, even if they are busy.

I received your email. I'm reviewing the information.

Can you confirm if KB974811 or KB957488 patch is installed?

Thank you

bpatten:

I received your email. I'm reviewing the information.

Can you confirm if KB974811 or KB957488 patch is installed?

Thank you

I sent you an e-mail reporting my findings on KB974811 & KB957488.

Please keep this information CONFIDENTIAL & DO NOT POST THE CONTENTS OF MY E-MAIL OR REPLY TO MY E-MAIL ON THE EEYES DIGITAL SECURITY FORUM WITH ANY REFERENCE ABOUT WHETHER MY COMPUTER DOES OR DOES NOT HAVE KB974811 OR KB957488 INSTALLED.

I don’t want to jeopardize the security of my computer over the internet.  While I am happy to assist Eeyes in troubleshooting a possible false positive in Blink’s Vulnerability Assessment module, I do NOT want hackers to know what patches I do or do not have installed on my computer.  

 PLEASE RESPECT MY REQUEST FOR PRIVACY IN THIS MATTER.  

Thank you for respecting my privacy in this matter.  I hope the information I have provided will assist you in determining whether there is a false positive in Blink’s Vulnerability Assessment module or whether there is a hole in Microsoft Update.  Either way, please let me know, preferably by secure e-mail, if my computer is secure or unsecure.  

Thanks in advance.

 eyesonly,

Let me ensure you that we at eEye haven't made XP/2003 a lower priority with the introduction of Windows 7. I'm the lead developer of Retina and I spend 70% of my time dealing with issues relating to XP/2003 and even 2000. We know XP is still the dominent Windows OS.

I've read this thread trying to identify what the problem is, but I see no mention of the actual audits that FP. What are the audit numbers? You mention mso.dll which is marked as a shared dll by MS. This being the case, SideBySide (SxS) comes into play when trying to ascertain the version numbers of the DLL. Presuming the audit in question checks the version of the file to determine the vulnerabilty, SxS can cause FPs. For instance, if you installed XP fresh and upgraded to SP3 and went to the System32 directory, Explorer will show the version number of mso.dll to be the instance of the original installation. Even the date will be a few years old. Thanks MS! In reality, the new versions of mso.dll updated via patches are maintained in the SxS directory and the latest version will be loaded when a program needs it, not the version you see listed in Explorer. Yes, this is confusing..  

The next release of Retina takes SxS in account for several audits that look at the file version and will resolve many FPs. I don't know if your issue will be resolved in the new release since you didn't provide the audits in question, but we do take audits pertaining to XP/2003 seriously and will always allocate resources to rectify any false findings as long the OS version are supported.

 Craig Armstrong

Senior Engineer, Team Retina

carmstrong:

 eyesonly,

Let me ensure you that we at eEye haven't made XP/2003 a lower priority with the introduction of Windows 7. I'm the lead developer of Retina and I spend 70% of my time dealing with issues relating to XP/2003 and even 2000. We know XP is still the dominent Windows OS.

I've read this thread trying to identify what the problem is, but I see no mention of the actual audits that FP. What are the audit numbers? You mention mso.dll which is marked as a shared dll by MS. This being the case, SideBySide (SxS) comes into play when trying to ascertain the version numbers of the DLL. Presuming the audit in question checks the version of the file to determine the vulnerabilty, SxS can cause FPs. For instance, if you installed XP fresh and upgraded to SP3 and went to the System32 directory, Explorer will show the version number of mso.dll to be the instance of the original installation. Even the date will be a few years old. Thanks MS! In reality, the new versions of mso.dll updated via patches are maintained in the SxS directory and the latest version will be loaded when a program needs it, not the version you see listed in Explorer. Yes, this is confusing..

The next release of Retina takes SxS in account for several audits that look at the file version and will resolve many FPs. I don't know if your issue will be resolved in the new release since you didn't provide the audits in question, but we do take audits pertaining to XP/2003 seriously and will always allocate resources to rectify any false findings as long the OS version are supported.

 Craig Armstrong

Senior Engineer, Team Retina

Thanks for the reply.

First of all, you're going to have to expand you explanation about "FPs" and "audit numbers".  I gave you all the information I have.  Nowhere have I seen any mention of audit numbers in Blink Personal's Vulnerability Assessment.  As lead developer, you should know the coding of the vulnerability assessment module and the resulting display of information.  If you want users to report "audit numbers" or "FPs", it is YOUR responsibility to display the information prominently in the "Vulnerability Assessment Report".

Also if "audit numbers" & "FPs" are so important, why didn't anyone ask for them earlier?   Eeyes has posted numerous times to this thread, but NO ONE has said anything about "audit numbers" and "FPs".  "bpatten" does NOT seem to have any problems following up on my initial report of a false positive in Office XP, with NO MENTION of "FPs" and "audit numbers."  If you need more information, that's fine, I will provide whatever you requested, as I have been doing all along.  But you NEED to understand that your requests for "FPs" and "audit numbers" need further expansion.  Please don't use abbreviations like "FPs" without clearly explaining what "FPs" means or refers to.

As I have mentioned, I don't see any mention of "audit numbers" or "FPs" on the Vulnerability Assessment Report.  If you want to use that terminology, I suggest you code your vulnerability assessment report to use the same terminology, so users can provide that information for you.

Also, regarding the file dates, my file dates are MORE RECENT than the file dates of the three updates Blink Personal's Vulnerability Assessment Reports as necessary patches.  That's the whole reason it's a false positive report.  Because (1)  Microsoft Update says I am secure and up-to-date (2) the files on my computer are MORE RECENT VERSIONS with a NEWER DATE than the files installed by the 3 updates that Blink's Vulnerability Assessment Report suggest needs updating.  In other words, Blink Personal's Vulnerability Assessment IS TELLING ME TO INSTALL OLDER AND OBSOLETE VERSION OF FILES CURRENTLY ON MY COMPUTER.

The files dates are September 4, 2009, I did my fresh installation of Windows XP, Office XP, all service packs in chronological order, all security patches, etc. in late October 2009, so the date of my installation has no bearing on the file dates of the files on my computer.  Furthermore, your example talks about windows explorer not reporting the correct date, because:

Quote.

"Explorer will show the version number of mso.dll to be the instance of the original installation"

End Quote.  

However, in my case the original installation date is October 2009, and the files in question (for example) mso.dll is dated September 4, 2009.  Both dates are MORE RECENT than the versions of the files mentioned in the 3 Microsoft patches (KB955047, KB949030, & KB934873) listed in Blink Personal's Vulnerability Report.

So how is the version number being reported differently by Explorer an issue in my case?  The answer is, IT HAS NOTHING TO DO WITH THE OFFICE XP FALSE POSITIVES that i reported.  Read my OP again, you will see I am right.  Your example about explorer reporting an OLDER version of a file makes NO difference if my files are NEWER than the files updated by the patches mentioned in Blink Personal's Vulnerability Assessment.  Again, it seems as though you did NOT read my original post.  Instead of abstracting about how Microsoft's Windows Explorer works, why don't you read my original post again and keep your replies on topic.

While I appreciate your reply, I am frustrated that another Eeyes employee has not read through my posts before posting a reply.

BTW, there are "BIP" numbers on only 2 or the 3 "audits" I reported in the original post, so I assume you don't mean "BIP" numbers, otherwise every "audit" would include a "BIP" number.  Furthermore, I have included the full description as listed on the Vulnerability report on my original post.  Don't tell me you can't look up the "audits" based on the information I provide in the OP.  bpatten seems to have no problem following the original post, so why can't the "lead developer" follow my original post?

Please expand your explanation of "FPs".  Also, include WHERE on the Vulnerability Asssessment Report to find the "FPs", so I can provide that information to Eeyes.

Also, explain why you stated that I did NOT provide audits?  To my knowledge I DID provide which audits.  I provided extensive information in the orginal post.  If I did NOT provide which audits, then how is bpatten able to correspond with me on this thread regarding the false positives?  Obviously, enough information about the "audit" have been provided, despite you comments to the contrary.   I don't appreciate what you were implying, namely that I did not provide enough information.  I have provided more than enough information, and I have strived to respond to every request for information by Eeyes staff.

Please post a reply that is on-topic, so I may further assist Eeyes in troubleshooting the Office XP false positives.  Please do NOT include irrelevant information, as you did in your last post.  This will ensure that the thread is as on-topic as possible, which will limit the length of my reply post.  Also, be VERY CLEAR in your posts, I do NOT work for Eeyes and I am unfamiliar with abbreviations and/or terminology that you use at Eeyes.  I am just a user of your product, NOT an engineer.

Just to be clear.  I think Blink is wonderful, and I appreciate the work that you have done as an engineer.  The Vulnerability Assessment module is clearly ingenious and unique among security/anti-virus/internet security software.

I am here to help, otherwise I would NOT have bothered to post the false positive as a have faith and confidence in Microsoft and their product Microsoft Update.  I posted the false positive 90% to help Eyes make Blink better, and 10% for myself to double check whether Microsoft Update was right or whether Blink Personal's Vulnerability Assessment report was right.

We are all working towards the same goal, so please be patient with me.

Thanks in advance.