Hi, On 01.03.2018 21:17, CAMPBELL Jeremy wrote: > Karl, > > You can create a group policy object in your Windows environment to delete > those keys. That makes the problem go away.
to avoid that this is required i did some minor improvements to the Firefox Detection-NVT which could help with the doubled detection of Firefox installations where the registry entries are left behind. Those changes arrived the feed once gb_firefox_detect_win.nasl has reached Revision r9760. Regards, > Regards, > Jeremy > This message was classified PUBLIC by CAMPBELL Jeremy on Thursday, March 1, > 2018 at 3:17:16 PM. > > From: Openvas-plugins [mailto:openvas-plugins-boun...@wald.intevation.org] On > Behalf Of Karl Fox > Sent: Thursday, March 1, 2018 1:50 PM > To: openvas-plugins@wald.intevation.org > Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl > gets wrong Mozilla Firefox version > > Thank you for your response. > > Yes, I understand that this issue is triggered because Firefox sloppily > leaves behind a registry entry when it uninstalls or upgrades, but Nessus, > for example, doesn't get tripped up by that, and there are thousands of > machines out there that will have these extraneous entries until the end of > time. Would it be possible to modify gb_firefox_detect_win.nasl to not make > this incorrect assumption? Perhaps check the uninstall hive to see if the > software is still actually installed? > > Thanks, > > Karl > ---------- Forwarded message --------- > From: <nore...@wald.intevation.org<mailto:nore...@wald.intevation.org>> > Date: Thu, Mar 1, 2018 at 1:32 PM > Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla > Firefox version > To: <nore...@wald.intevation.org<mailto:nore...@wald.intevation.org>> > > > Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer > You can respond by visiting: > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > >> Status: Closed > Priority: 3 > Submitted By: Lithik Systems (lithik) > Assigned to: Nobody (None) > Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version > Architecture: 64 bits > Product: OpenVAS > Operating System: Linux > Component: openvas-plugins > Version: None > Severity: normal >> Resolution: Won't Fix > Hardware: PC > URL: > > > Initial Comment: > We have seen many 64-bit machines where OpenVAS throws up to dozens of > Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up > to date. We have tracked this down to what appears to be an incompletely > uninstalled 32-bit version of Firefox where the current 64-bit Firefox is > installed and running. > > The following registry values remain: > > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org> > (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla > (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion > (REG_SZ) > > OpenVAS reports the value of CurrentVersion as being too old. No other fields > exist under the Wow6432Node\mozilla.org<http://mozilla.org> folder. > > The following filesystem items remain: > > C:\Program Files (x86)\Mozilla Firefox > C:\Program Files (x86)\Mozilla Firefox\browser > C:\Program Files (x86)\Mozilla Firefox\browser\defaults > C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences > C:\Program Files (x86)\Mozilla > Firefox\browser\defaults\preferences\disable-autoupdate.js > > No other files or folders exist under C:\Program Files (x86)\Mozilla Firefox > > The folder C:\Program Files\Mozilla Firefox exists and contains a complete > and current Firefox installation. > > The registry value > HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion > exists and contains the version number of the current Firefox installation. > > If I remove the old registry entry, OpenVAS does not report false positives. > But I continue to run into hundreds of machines with this problem. Perhaps > gb_firefox_detect_win.nasl can be made to avoid this false positive. > > In the specific case I am using for this report, the uninstalled version is > 44.0.2 and the currently installed version is 56.0.2. > > ---------------------------------------------------------------------- > >> Comment By: Christian Fischer (cfi) > Date: 2018-03-01 18:32 > > Message: > Hi, > > thanks for your report. Please note that this bugtracker is abandoned and > issues related to NVTs are better placed at > https://lists.wald.intevation.org/pipermail/openvas-plugins/ > > Firefox itself is known to leave traces like this behind causing some > possible false detections. See e.g. > https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html > for some background. > > For now i'm closing this as the false detection will go away once the Firefox > upgrade routines are correctly doing its job or the targets registry is > cleaned up from such traces. > > Suggestions to improve the situation or even patches are still welcome at the > mentioned openvas-plugins mailing list. > > ---------------------------------------------------------------------- > > You can respond by visiting: > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > ________________________________ > > This message, including attachments, is intended for the above-mentioned > addressees only. It may contain confidential information the review, > dissemination or disclosure of which is strictly prohibited. Should you > receive this message in error, please delete it and notify the sender to the > e-mail address indicated above. > > ________________________________ > > > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins > -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
