Mailing List Archive

I am concerned about some potential false positives/misleading results reported by nessus. I have a WinXP system that *should* be fully patched. When I run a nessus scan against it, it finds unpatched critical vulnerabilities. The first thing that bothered me is that this particular version of WinXP was slipstreamed and so was installed with numerous patches included and these were older vulnerabilities. I then ran a credentialed Windows patch audit and the system came up clean -- no vulnerabilities.

I finally got time to start verifying the vulnerabilities and the first one nessus reports is Nessus ID : 20928 which gives a link to http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx. Fine, I go to the website and according to Microsoft the *patched* files includes (among other files):

Mrxdav.sys 5.1.2600.1673 26-Apr-2005 01:58

The *installed* version is

Mrxdav.sys 5.1.2600.2180 04-Aug-2004 07:00

That looks to me like it is *newer* than what was patched 2 years ago, big surprise. However, nessus claims it is vulnerable. *And* the file create and modify time stamps are older. Ah well, so I searched on the file and version and find that it *does* have a vulnerability, but the correct reference is http://support.microsoft.com/?kbid=909423

So directing to the link indicated in the plugin output is faulty?

Three other vulnerabilities were also flagged but I haven't had time to verify yet:

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

Tim Doty
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus