Maybe I'm missing something... If so, I'll step back and continue my lurking and learning from your valuable experiences.
I would rather have Nessus test for the underlying vulnerability that the patches are supposed to resolve, rather than test for the existence of the patch itself. The debate raging on concerning the methodology of the dedicated applictions (Hfnetchk, MBSA, UpdateExpert, et al) and their effectiveness is a good one. But to me, it's more of a change management issue than a vulnerability issue. I'd be willing to let Shavlik, MS and the others to work out that issue and work on it from the internal view. I think it's important for tools just as Nessus to assess the potential vulnerability despite whether the patch is applied or not. This also provides a check and balance on whether the proposed resolution is actually effective. ie; Is the msxml3.dll still vulnerable even after the patch application? My preference is that Nessus be that dedicated, external assessment of network and host vulnerabilities. I think it's a more valuable tool in that setting, than trying to have it do everything. Larry Youngquist CISSP, CCNA, MCSE ----- Original Message ----- From: "Michael Scheidell" <[EMAIL PROTECTED]> To: "Mays Jeff" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, May 10, 2002 6:02 AM Subject: Re: Problem with MS02-008 and MS02-009 plugins > > ----- Original Message ----- > From: "Mays Jeff" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: "Michael Scheidell" <[EMAIL PROTECTED]> > Sent: Thursday, May 09, 2002 3:40 PM > Subject: RE: Problem with MS02-008 and MS02-009 plugins > > > > Ok. As you have seen in recent messages, I'm having a rough time > validating > > the existence (or lack thereof) of the hotfixes for MS02-008 and 009. > Nessus > > continues to insist that they are not there. In a previous cases that was > > correct. We did some further investigation and determined that some of the > > other post sp2 hotfixes were applied in the wrong order. Once we got that > > straightened out, a new scan was run. Nessus still complains that the > > patches aren't there. Hfnetchk says they are, and we can verify the > > existence of the appropriate registry key and files. > > > > It appears that the plugin for MS02-008 may only be checking for Q318203 > > (patches xml versions 3.x) and not looking for Q318202 or Q317244 > (versions > > 2.x, 4.x). > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318203&SD=MSKB&; > > > > The above link basically says something altogether different than the > > original advisory and appears to contradict. Typical Microsoft I > suppose... > > either that or I've missed something altogether. > > > > well, its hard enough to keep up with microsoft daily security notices, > letalone when they fix they fix by fixing the fix of their fix. > > Next time you see software that says 'Windows NT or better", fdisk the thing > and install linux or freebsd. > > Oh, well, when we get some time we will look at it. > If there are three different patches for three different xml versions, thne > nessus will NOT be able to determie the correct patch for it until the new > netbios calls are written (will need to check file dates/times on the remote > computer as well as registry entries) > > Any one got an idea on how to tell (remotely, through registry settings, > using a STANDARD USER account, not admin privledges what version needs > patches?) > > Michael Scheidell > SECNAP Network Security, LLC > (561) 368-9561 [EMAIL PROTECTED] > http://www.secnap.net >
