I am concerned about some potential false positives/misleading results reported by nessus. I have a WinXP system that *should* be fully patched. When I run a nessus scan against it, it finds unpatched critical vulnerabilities. The first thing that bothered me is that this particular version of WinXP was slipstreamed and so was installed with numerous patches included and these were older vulnerabilities. I then ran a credentialed Windows patch audit and the system came up clean -- no vulnerabilities.
I finally got time to start verifying the vulnerabilities and the first one nessus reports is Nessus ID : 20928 which gives a link to http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx. Fine, I go to the website and according to Microsoft the *patched* files includes (among other files): Mrxdav.sys 5.1.2600.1673 26-Apr-2005 01:58 The *installed* version is Mrxdav.sys 5.1.2600.2180 04-Aug-2004 07:00 That looks to me like it is *newer* than what was patched 2 years ago, big surprise. However, nessus claims it is vulnerable. *And* the file create and modify time stamps are older. Ah well, so I searched on the file and version and find that it *does* have a vulnerability, but the correct reference is http://support.microsoft.com/?kbid=909423 So directing to the link indicated in the plugin output is faulty? Three other vulnerabilities were also flagged but I haven't had time to verify yet: http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Tim Doty _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
