I’m performing an assessment on a Windows 2008 R2 SP1 machine using Nexpose. The scanner is stating that several patches are needed by the system, but in the past system admins have stated that the system is fully patched and up to date. What I’d like to do is manually determine if a patch is needed before letting the SA know, but I’m struggling to figure out if a patch is really needed. An example is with MS12-073 (Internet Information Services 7.5 KB2719033).
I’m working with 2 systems, one I manage (for testing) and the other is managed by another system administrator. Both are Windows 2008 R2 SP1 (x64-based). Nexpose reports that both systems need the patch (it checks the registry for a specific entry). I looked at the OVAL website for the vulnerability (http://oval.mitre.org/repository/data/item/show?id=oval%3aorg.mitre.oval%3adef%3a15959) and I’m confused on the “definition synopsis” section. First it has 2 sections for “check for vulnerable file version” but they are basically the same but with different versions. My patched system (that I managed and installed patch KB2719033) has version 7.5.7601.17514 of aspnetca.exe. According to oval.mitre.org my system is vulnerable. Am I reading it wrong?
I’ve also tried to verify via Microsoft website with the “file information” table (http://support.microsoft.com/kb/2719033) but it lists several versions of the same file. I have sound a excel document that Microsoft publishes that lists patches and if they have been superseded, but this patch is not listed as being superseded by another patch (go.microsoft.com/fwlink/?LinkID=245778)
My question is how do I read the “file information” table (from the Microsoft website) or the oval website to determine if systems are truly vulnerable or not? Or is there a better easier way to truly determine if a patch is needed (without using the windows update process which I don’t have access to).
Edit
I guess I'm looking for more of a framework to determine if a patch is needed. I have other examples that could be false positives (two others are MS11-013 and MS13-081). I tried using the file information from Microsoft and the OVAL process, but for KB2719033 those processes tell me that I'm still vulnerable, even though i have manually applied the patch on my test system.
Best Answer
Your system is still vulnerable ...probably because the patch didn't install correctly. Have them install the patch manually and check again.