Vulnerability Assessment

Office XP False Positives

eyesonly — Mon, 26 Oct 2009 01:21:01 GMT

I recently installed Windows XP & Office XP on a brand new disk. I installed the service packs in chronological order. Next, I went to Microsoft Update and applied all critical patches. Microsoft Update reported NO critical updates. Windows XP SP3 & Office XP SP3.

Next, I installed Blink Personal, then updated the software & virus definitions. I ran a Vulnerability Assessment and it reported the following 3 critical updates needed to be applied:

Microsoft Office One Note URI Remote Code Execution (955047) - Office XP

Microsoft Office Remote Code Execution (949030) - Office XP

Microsoft Office Remote Code Execution (934873) - Office XP

I checked the links to the Microsoft Bulletins to determine whether the updates may have already been applied in some kind of roll-out or cumulative update. Although the Microsoft Bulletines did not mention any roll-out or cumulative updates that superceded the bulletins, I was able to find the files updated in the file information sections.

My current systems (Windows XP SP3, Microsoft Office XP SP3) reports:

mso.dll 10.0.6856.0 9/04/09 9811792

ietag.dll 10.0.6731.0 9/04/09 105152

According the Microsoft Bulletins:

Microsoft Office One Note URI Remote Code Execution (955047) - Office XP per http://support.microsoft.com/default.aspx?scid=95507

mso.dll 10.0.6845.0 6/11/08 9819136

ietag.dll 10.0.6731.0 6/11/08 105152

Microsoft Office Remote Code Execution (949030) - Office XP per www.microsoft.com/technet/security/bulletin/ms08-016.mspx

mso.dll 10.0.6839.0 10/30/07 9819136

ietag.dll 10.0.6731 9/10/04 105152

Microsoft Office Remote Code Execution (934873) - Office XP per www.microsoft.com/technet/security/bulletin/ms07-025.mspx

mso.dll 10.0.6830.0 3/26/07 9819480

As you see, I have the most recent versons and most recent dated files even though I did not apply any of the 3 Microsoft Updates. While I don't know exactly what Micosoft patch(es)/update(s) are responsible, I do know that my system is completely patched and Vulnerability Assessment incorrectly tells me to apply patches that apply older and obsolete versions of my current files.

Please review my post to confirm that the aforementioned 3 critical update warnings in Vulnerability Assessment is really a false positive.

Again thank you for Blink Personal, it's really a great piece of software.

Thanks in advance.

Audit ID 9826 Microsoft Visual Studio ATL Vulnerabilities (969706) - VS 2008 SD

RAC_Reaper — Wed, 21 Oct 2009 13:25:54 GMT

I have been trying to figure this one out. All my windows XP SP3 machines, the Scan says that file C$\Program Files\Microsoft Visual Studio 9.0\VC\ce\dll\x86\atl90.dll is version 9.0.21022.220 and should be at 9.0.30729.4154. MS09-035 is installed as well as other KB's associated according to a WSUS report . Is this another type of 3rd party add in? How can I get rid of this vulnerability?

Internet Explorer Vulnerability - False Positive?

jin356b — Tue, 04 Aug 2009 00:19:13 GMT

I have recently installed the latest security update for IE7 on my network (Cumulative Security Update for Internet Explorer 7 (KB972260)). Now whenever I do a Retina scan on these machines, they report 2 High risk vulnerabilities:

Microsoft Internet Explorer Cumulative Security Update (958215) - 2003 Retina Audit ID: 7449
Microsoft Internet Explorer Security Update (960714) - 2003 Retina Audit ID: 7521

Microsoft Internet Explorer Cumulative Security Update (958215) - XP Retina Audit ID: 7448
Microsoft Internet Explorer Security Update (960714) - XP Retina Audit ID: 7520

These vulnerabilities are from 2008, and probably obsolete. I run am running the most updated versions of Win2k3 SP2 and WinXP SP3. Has anyone else had this problem? Does anyone know if these are actually False Positives, or has Microsoft opened up an old vulnerability?

Thanks

Easy way to compare scans?

jimbo — Sat, 07 Nov 2009 01:02:59 GMT

We run Retina scans every month and what I'd like to do is show management the progress that's being made with IAV patching.

Is there a way in Retina where I can compare scans?

What I mean is:

1st scan shows IAVA 2009-A-0001 is vulnerable on client1, client2, and client3.

2nd scan shows the same IAVA 2009-A-0001 is vulnerable on client1 and client3.

Looking at that, I can easily tell that the patch was applied to one client (client2). But imagine having multiple IAVs on hundreds of clients. Now you can see that manually doing this is too cumbersome.

null session and autorun update false positive findings

osioniusx — Wed, 02 Sep 2009 13:39:02 GMT

I have a lot of these false positives. This means the system was not admin, or is there another possible problem? Thx.

Audit 3490

vworthy — Fri, 16 Oct 2009 13:34:25 GMT

I believe that I have my registry settings correctly set, but because this audit continues to show I am starting to doubt myself.

Presently,

I have set to audit the "everyone" group for failures and have the following checked: Set Value "Failed", Create subkey "Failed", and Delete "Failed". I have Allow Ingeritable permissions from parent to propagate to this object selected both under Access Control Settings and Permission for hive.

Remote registry access

bb93444 — Tue, 03 Nov 2009 01:36:38 GMT

I am having issues gaining remote registry access even though known good credentials are used. Remote Registry service has been verified to be started along with file and print services allowed. I am not sure what else is requried. The computer being scanned is a Windows 2003 member server. Any ideas on what to look for would be greatly appreciated.

Retina Audit ID 5329

jaws — Thu, 03 Sep 2009 15:00:28 GMT

Hi,

Audit ID 5329: Ensures that all keys under HKLM\Software\Classes\AppId do not have a "RunAs" value.

Retina identifies all items that have "RunAs".

I think this is only a problem if "RunAs" has a value other than Interactive User.

If this is correct maybe a small modification to Audit 5329 --- RunAs exits and is not set to Interactive User.

This would help eliminate false positives.

Thanks,

Jim

Audit ID's 958215 and 970714

RAC_Reaper — Wed, 04 Nov 2009 18:35:45 GMT

I got a recent update to the engine and vulnerability scanner. I am now at version 5.10.20.2153.

With this update these 2 vulnerabilities show are showing up on XP workstations. Both check the version of file C$\WINDOWS\system32\mshtml.dll.

Is there a fluke in the check? These two audits were not showing up before.

Audit ID 10359 Clustered servers

RAC_Reaper — Fri, 30 Oct 2009 17:36:26 GMT

I have been finding out more about 2003 Server clustering. In my environment I have two W2K3 servers that are clustered. One's called Martha, the other Stewart. The cluster is named Fred. Martha has IP 10.1.1.2, Stewart 10.1.1.3 and Fred has 10.1.1.4. Martha and Stewart are not vulnerable to Audit 10359, but Fred reports that it is. From looking what the scan finds, Retina is looking for a Registry key. Since Fred is logically just a name, the scanner cannot find the key (found value is **keynotfound**).

Is there anyway you can make the scanner not scan these types of IP's (IP's that are cluster names)?

I could omit the IP from the scan. That would probably be an easier solution.

Help Help Help - had to Uninstall Blink!

Winifred — Fri, 30 Oct 2009 05:51:06 GMT

Hi, all

Today (10/29) got a note that Blink needed to be restarted to download overnight update. Rebooted. Blink couldn't start. Windows told me to go to Control Panel and under Programs - right click to have Windows repair Blink (this worked before - some time ago.) This time it did not work. I rebooted several times and I kept getting a Blink message saying that I was using an invalid password - however I don't have ANY password for Blink - nor anywhere, including logging in to Vista. Another error message Blink gave me was that I was running another version of Blink which needed to be shutdown before startup version of Blink could start - and 'tho no Blink icon in my systray - Task Mgr did show Blink as running. Lastly thru all this, I couldn't get on the internet via my AOL dialup. So I have uninstalled Blink and was then AOL got me online OK. I would like to reinstall my paid version but have no idea how to do that. Any help? ? ? ? ? Thanks!

Tech Support

Winifred — Fri, 30 Oct 2009 14:04:03 GMT

Got an email bounced when directed to dr.support@eeye.com (address given for Blink tech support when I purchased.) Does anyone have the correct email address for Blink tech support?

How to change my registry to follow Blink's instructions re kilbit of Microsoft KB240797?

Winifred — Tue, 20 Oct 2009 02:54:28 GMT

Can anyone actually walk me thru EXACTLY how to change my registry to follow Blink's instructions re kilbit of Microsoft KB240797? I've already backed up my registry following MS's instructions - but I just can't figure out how to actulally do the registry killbit. Thanks, y'all!

Miscellaneous Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.6.0

Winifred — Fri, 07 Aug 2009 01:08:32 GMT

Hi, this appeared today as a high risk item. Can anyone tell me which version of these I should get - or how to find out which version I need? I'm not a techie and use Vista, if that helps.

Windows JRE/JDK 6.0: Upgrade to Update 15 or newer.

JRE/JDK 5.0: Upgrade to Update 20 or newer.

JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version.

JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version.

Thanks,

Wini

Audit ID 7469 Microsoft Visual Basic 6.0 ActiveX Runtimes Code Execution (932349)

RAC_Reaper — Wed, 21 Oct 2009 13:01:32 GMT

I have been reading other posts that deal with these active X OCX files and how 3rd party vendor are supposed to patch them.

From my research, there is some discussion about msmask32.ocx version 6.0.84.18 not being vulnerable, but still flagging by a Retina scan. Can you please verify vulnerable or not vulnerable?

My issue seams to deal with any workstation with ARC GIS loaded. ESRI released a patch that took care of 5 of the 6 OCX files, but I still get this one in a scan.

Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

vkundakci — Sun, 18 Oct 2009 21:24:29 GMT

I am getting the above vulnerability audit starting a few days ago. I do not have JRE 1.4.2 installed. Verifying java version on my computer below:

C:\>java -version
java version "1.6.0_16"
Java(TM) SE Runtime Environment (build 1.6.0_16-b01)
Java HotSpot(TM) Client VM (build 14.2-b01, mixed mode, sharing)

Any idas?

The full audit message is below:

BID	35943, 35945, 35939, 35942, 35944
CVE	CVE-2009-2676, CVE-2009-2625, CVE-2009-2674, CVE-2009-2671, CVE-2009-0217, CVE-2009-2670, CVE-2009-2673, CVE-2009-2675, CVE-2009-2672
Description	Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) contain multiple vulnerabilities that could allow connections to arbitrary hosts, web session hijacking, username disclosure, execution of untrusted Java Web Start applications with elevated privileges (e.g. thus allowing permissions to local files, or execution of local applications), spoofing of XML digital signatures, spoofing/manipulation of security dialogs, cause denial of service conditions, and/or execution of arbitrary code (via multiple vectors).
How To Fix	Install or apply the appropriate vendor-supplied fix: Note: JRE/JDK 1.4.x/1.3.x updates are available only through Sun Vintage Support or Java SE for Business contracts. Windows JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version. Linux JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version. Solaris JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version.
Links	Sun Alert - 263429 Java Downloads - JRE/JDK 5 Update 20 Release Notes - JRE 6 Update 15 Sun Alert - 263408 Sun Alert - 263489 Secunia Advisory - 36159 Java Downloads - JRE/JDK 6 Update 15 Sun Alert - 264648 Sun Alert - 263488 Release Notes - JRE 5 Update 20 Sun Alert - 263409 Sun Alert - 263490 Sun Alert - 263428
Risk	High

Where are the manual installs?

maaksel — Thu, 22 Oct 2009 15:41:26 GMT

Sun JRE/JDK Multiple Vulnerabilities (20090324) - Windows - JDK 1.4.2 Sun JRE/JDK Multiple Vulnerabilities (20090324) - Windows - JDK 1.5.0 Sun JRE/JDK Multiple Vulnerabilities (20090324) - Windows - JRE 1.6.0 Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JDK 1.4.2 Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JDK 1.5.0 Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2 Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.5.0

Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.6.0

Our enterprise has over 900 servers, these have all been found to be out of date patches through Retina. I have been trying to find the download for the manual install so I can script it out and 'just get it done' as I was directed by our CIO.

Updating/maintaining will be done/planned in the next coming weeks, however i need to have all the patched by 6am 10/24

Remedy for vulnerability items, “Microsoft Visual Basic 6.0 ActiveX Runtimes Code Execution (932349)”?

rhkohl — Mon, 12 Jan 2009 05:33:05 GMT

In the Blink-Personal Vulnerability Assessment Report, I have four, high-risk items titled the above -- one for each of comct232, mscomct2, msdatgrd, msmask32 -- all citing MS08-070, KB932349, and Secunia Advisories 26534 and 31498. I found these 4 names as .ocx files in my Windows\system32 folder. I read where these are Microsoft Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) which are distributed by developers with their VB6 applications. These might well also have come OEM with the computer (?). The date of the one I checked was 1998 and, using Notepad, it looked to be something straight from Microsoft with copyright notice and version number. The Microsoft-Update application will not offer an update that addresses these items in any way. Using either MS08-070 (and looking in FAQ’s) or the link (to Microsoft) in the Secunia advisories results in the same download, the “Cumulative Update for Microsoft Visual Basic 6.0 SP6 (KBnnnnnn)” where nnnnnnn depends on the link used. I do not have MS Visual Basic 6 on my computer and sure enough, when I went to install either download I got the message, “In order to install Cumulative Update for Microsoft Visual Basic 6.0 SP6 (KBnnnnnn) you must have Microsoft Visual Basic 6.0 Product installed”. This download appears to be for the developer so that his/her future products do not have the vulnerability. So I still have these vulnerabilities on my computer, and they are of unknown use. What now?

Does anyone have any thoughts?

Retina came up with vulnerabilities after Windows Update ran and patched system

jdeitel — Tue, 13 Oct 2009 18:54:36 GMT

Reposting this here as I do not think troubleshooting is the correct forum:

Ok, so this is the first time I've had an issue like this. I scanned a few servers this morning with updated Audits and I came up with a few vulnerabilities. Well I decided to do a windows update on all of the boxes and now I've got Cumulative IE secuirty updates popping all over my reports. The IE updates and ActiveX killbits appeared "old" but when I looked for more information the site said it was updated as of 10/13/2009....

I'm going to rollback all of the updates I performed but has anyone else encountered something along the same lines? MS Update screwy?

Thanks

Dual-Homed Retina 651 Appliance

mwhittek — Sun, 11 Oct 2009 17:43:07 GMT

Is it possible to configure the 651 appliance as a dual-homed system? I would like for the appliance to be on one subnet for scanning purposes, and another subnet for acquiring updates. The appliance has two network interfaces, but the documentation for the appliance is virtually non-existent.

External Vulnerability Assesment (Scanner Placement and Other Methods)

ny101880 — Fri, 02 Oct 2009 15:50:17 GMT

Hi Everyone,

I wanted to ask your opinion about vulnerability assessment to a corporate network'ss external asset (Located in the DMZ, Firewalls).

Strategy: We plan to put the scanner outside of the corporate network (broadband connection in the house) to do the scan
Options: rent a linux server from any hosting company to do the scan

Difficulties:
1. If this is our strategy, are we able to succeed in identifying faster the vulnerability to our corporate network (External Assets located in the DMZ)?

2. What scanning method is best to be used (Unattenticated - Hacker Perspective) or Authneticated (Im not sure of the risk it will implicate)?
3. What are the other optionsan suggest we can improve the quality of the result

Im hoping you can share something on this.

General Retina Network Scan Question

guest09 — Tue, 08 Sep 2009 15:35:48 GMT

Hi,

I am currently evaluating the Retina Network Scan product including the VMS Export Wizard. I was wondering if there is a way to run the VMS Export Wizard from the command-line.

Thanks!

Adobe Flash Player shows up on Vulnerability Checklist, but latest version is installed!

rhkohl — Sat, 03 Nov 2007 07:05:07 GMT

"Adobe Flash Player Multiple Vulnerabilities" shows up on the current, Blink-Personal, security checklist (with the "How to Fix" being "Upgrade A_ F_P_ to version 9...", but prior to running this vulnerability assesment, I downloaded version 9.0.47.0 (the latest) from the Adobe site and manually installed it, getting a sub-window indicating a successful installation. In Control Panel, Add/Remove lists "Adobe Flash Player" and "Support Information" in that list item shows that the version is indeed 9.0.47.0.

It would seem that there is something wrong with this item being in the Blink security checklist. [There is one wrinkle, however, that I do not understand, and that is that I can find no flash9.ocx file anywhere on C: (which I had a hunch I should find), but I do have a Flash8.ocx file in C:\Windows\system32\Macromed\Flash.]

Anyone's thoughts would be appreciated.

Openoffice 3.1.1 not recognized

vkundakci — Mon, 07 Sep 2009 03:24:17 GMT

Recently Openoffice 3.1.1 started to come up as vulnerable for CVE-2009-0200 and CVE-2009-0201. Supposedly the buffer overflow problems were fixed in this release. The report below mistakenly indicates that the problem is fixed in 3.3.1. Maybe the version test has the same error.

BID	36200
CVE	CVE-2009-0200, CVE-2009-0201
Description	OpenOffice contains mutliple heap-based buffer overflows when handling documents containing malformed Word document tables. Successful exploitation could allow execution of arbitrary code or could cause the application to crash.
How To Fix	Upgrade OpenOffice to version 3.3.1 or newer.
Links	Secunia Advisory - 35036
Risk	High

Retina Scan suddenly finding missing MS Security Patches from 2005/6/7

froglips — Sat, 05 Sep 2009 14:30:51 GMT

We run Retina Scan (versions: Engine (5.10.17) and the Audit is (2132)) weekly, and download the latest Audit prior to doing so. Our current OS is Windows XP SP2. This morning we downloaded the current Audit, and all of a sudden we are now missing the following patches:

IE Explorer Cumulative Patch for up to 6.0 2003-A-0014(3)

SMB Remote Code Execution 2005-T-0019

TCP/IP Vulnerabilities 2005-B-0012

Outlook Express Cumulative Patch 837009

Can anyone tell us why this may be happening?

Also, the following problem exists, which a resolution has never been found for:

JPEG Processing GDI+ Buffer Overflow 2004-A-0015

Any help on this would be GREATLY appreciated as well.

Thanks for all of your time and help.

Sincerely,