The following OID http://plugins.openvas.org/nasl.php?oid=806898 is meant to check for MS16-033.
It turns out that the vulnerability still shows on a fully patched Win 10 Pro (v1607 build 10.0.14393, latest public version as per https://en.wikipedia.org/wiki/Windows_10_version_history). There seems to be potentially 2 issues with the NVT causing an FP: - The first one being that it checks for the version of mfds.dll when MS16-033 doesn't mention this DLL (where, for instance MS16-027, for which a patch was released at the same time, does). It is not clear to me that this check needs to happen since mfds.dll is the Media Foundation Direct Show wrapper DLL and doesn't seem related to MS16-033 that is related to USB Storage. Is there a specific reason this dll's version is checked as part of this NVT? - The version check (if needs to be) on mfds.dll ignores that there could be a v10.0.14393 of the DLL that is not vulnerable. The NVT checks for anything under 12.0.10240.16644 but clearly some 1607 servicing stack updates (for instance from Oct 18th https://support.microsoft.com/en-us/kb/3199209) show that a v10.0.14393 of the DLL is still being pushed. This was also validated against a fully updated Windows Media Player (this DLL seems related to it). The NVT should probably be updated to either consider finer version management for mfds.dll or remove the mfds.dll version check altogether if it is not related to MS16-033. Thanks, --Pierre-D.
_______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
