Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: IE9 Zombies......

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Internet Explorer 9.x

This thread has been marked as resolved.
mogs IE9 Zombies......
Expert Contributor 21st Sep, 2012 21:51
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
I've just applied the latest patch for IE9 in Vista......now 9.1.8112.20557 and seem to be collecting a gathering of zombie installations with a limited threat rating as shown in psi....now 9 such examples.
It does'nt seem possible to remove them.....I don't wish to create an ignore rule for them.....are they all safe enough as is ? Are they likely to be removed at a later date anyrate ?

Your expertise would be very welcome Maurice, without being presumptuous ; if you would be so kind........regards.........

--

Post "RE: IE9 Zombies......" has been selected as an answer.
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 21st Sep, 2012 22:13
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Can you take a snippet & show me the files? What prevents deletion?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: IE9 Zombies......
Expert Contributor 21st Sep, 2012 23:02
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
I've tried Copy/pasting the Troubleshoot report and CTRL+C etc....to no avail..........

If I try to delete the items.....it says that I need permission......and then I get another panel saying Try Again which just repeats itself when pressed.
I've got an actual installation for 9.1.8112.20557
.............and then 8 Zombie files
C:\Windows\winsxs\x86_microsoft-windows-i..etexplo rer-optional-31bf3856ad364e35-(20554, 20553,20551,16450,16448,16447,16421,16446 version numbers )
Also :-
1 Zombie :-
C:\ProgramFiles\InternetExplorer\iexplore.exe,vers ion9.0.8112.16450

All the Zombie files are shown as Patched with a Very Limited threat rating

Is that any help ? Thanks Maurice.




--
Was this reply relevant?
+0
-0
Websafe RE: IE9 Zombies......
Member 21st Sep, 2012 23:13
Score: 79
Posts: 105
User Since: 24th May 2009
System Score: 100%
Location: NL
Hello Mogs and Maurice,

Same zombie files;
Windows Vista home Premium 32-bit SP2,
Secunia PSI 2.0.0.3003.
IE-9.

Looks like this:

Detected Instances:
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.20557_none_ 5918c60d04da998d\iexplore.exe, version 9.0.8112.20557
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.20554_none_ 5915c52f04dd4d88\iexplore.exe, version 9.0.8112.20554
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.20553_none_ 5914c4e504de3431\iexplore.exe, version 9.0.8112.20553
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.20551_none_ 5912c45104e00183\iexplore.exe, version 9.0.8112.20551
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.16450_none_ 5888273bebc34862\iexplore.exe, version 9.0.8112.16450
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.16448_none_ 589af977ebb3f729\iexplore.exe, version 9.0.8112.16448
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.16447_none_ 5899f92debb4ddd2\iexplore.exe, version 9.0.8112.16447
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.16446_none_ 5898f8e3ebb5c47b\iexplore.exe, version 9.0.8112.16446
C:\WINDOWS\winsxs\x86_microsoft-windows-i..etexplo rer-optional_31bf3856ad364e35_9.1.8112.16421_none_ 58a99749ebaa0de6\iexplore.exe, version 9.0.8112.16421
C:\Program Files\Internet Explorer\iexplore.exe, version 9.0.8112.16450

Websafe.
Was this reply relevant?
+1
-0

Maurice Joyce

RE: IE9 Zombies......
[+]
This reply has been deleted
mogs RE: IE9 Zombies......
Expert Contributor 21st Sep, 2012 23:30
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

Yes...logged on as admin.
I'm just wondering that tho' psi has them showing as Zombie whether or not there's still a cumulative value to them and perhaps they're better left alone ?
As each successive update has taken place I'd kept thinking that MS would remove them if not required. I havn't developed paranoia.....I hope it's not me that's sleeping !!!

@Websafe

Thanks for your input.......regards..........

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 21st Sep, 2012 23:58
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 22nd Sep, 2012 00:01
I would agree - no mad panic & U certainly do not want to be in the Winsxs Folder.

I do not have ready acccess to a Vista set up.

Your oddity is not showing in windows 7 on either a 32 or 64 Bit system although I have some of those Public Keys you are showing.

This could be something for Secunia Support on Monday - I will have some fun & tinker with my test 32 & 64 test PC's.

If need be I will contact support if I find anything odd.

EDIT - Can U confirm the actual IE exe file showing in PSI is 9.0.8112.16450



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: IE9 Zombies......
Expert Contributor 22nd Sep, 2012 00:15
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Thanks for your help and comments Maurice......appreciate your looking into the matter further.

Whilst on the main Scan Results page the installation is shown as 9.1.8112.20557......when clicking on the + sign.......in amongst the entries previously mentioned is the C:\ProgramFiles\InternetExplorer\iexplorer.exe,ver sion9.0.8112.16450

Regards............

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 22nd Sep, 2012 00:27
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 22nd Sep, 2012 00:27
That is an oddity in itself.

Did you by chance use the Fix It tool prior to the release of the Microsoft patch today?


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: IE9 Zombies......
Expert Contributor 22nd Sep, 2012 10:24
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

Sorry didn't reply earlier....overcome by drowsiness earlier than expected !

No, I hadn't used Fixit......do you think it's worth trying at this late stage ?

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 22nd Sep, 2012 10:57
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 22nd Sep, 2012 10:58
To answer your question NO NO NO!

@mogs

I think I have cracked it. The IMPORTANT bit is that if you have installed KB2744842 (the latest MS patch) IE on your PC is protected minus this http://secunia.com/advisories/47129/ which I consider unimportant & not relevant to IE9.

I think what you have found is an inconsistency on the way Secunia are now displaying IE.

I have tested the results shown by PSI on these PC's.

XP SP3 32 Bit using PSI version 1.5.0.2 - This merely confirms IE8 has only one entry in the Scan Result Page & is secure under version 8.0.6001.18702 minus this http://secunia.com/advisories/24314/


Windows 7 32 Bit using PSI version 3.0.0.3001
Windows 7 64 Bit using PSI version 2.0.0.4003


These two PSI variants only show ONE entry in the Scan Results Page & in the case of PSI version 2.0.0.4003 the Secure Browsing Page is also correct. The EXE file version of 9.0.8112.16450 is correct.

The problem occurs on my main PC when running PSI version 2.0.0.3003 where I get the following result.

https://akkkug.bay.livefilestore.com/y1p0KX28iWLN_...

With the 64 Bit browser a different EXE file shows as can be seen here:

https://akkkug.bay.livefilestore.com/y1paylBb_f-yu...

The Secure Browsing Page shows correctly as follows:

https://akkkug.bay.livefilestore.com/y1p1kPktFOF1A...

Because Secunia may well be adjusting their database & the situation could change the scan results were based on this scan.

https://akkkug.bay.livefilestore.com/y1pxgU1hpMaqN...


What I cannot reconcile is PSI showing any so called zombie files.

Can you try a full PSI rescan & confirm you end up with a listing like mine - If you cannot show me where you can see the word zombie can U explain where I can look to find it?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: IE9 Zombies......
Expert Contributor 22nd Sep, 2012 12:30
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

Have just completed a full scan using psi 2.0.0.3003......the situation has changed somewhat.

Clicking on the + sign on the Scan Results page and then double tapping brings up the entries where under the Classification heading the term Zombie Installation now only appears alongside 5 of the entries.
C:\ProgramFiles\InternetExplorer\iexploe.exe together with 4 previously rated Zombies are now showing as Actual Installations..................leaving still 5 entries as Zombie.

Secure Browsing tab .........IE showing as Unpatched no vendor solution.....SA41729

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 22nd Sep, 2012 12:49
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thank you. That somewhat proves my point in that there is an inconsistency in the way Secunia are displaying the update.

I will keep PSI installed on this PC over the weekend. If things do not change I will ask Secunia Support to explain these oddities which looks like a database adjustment by them is required.

If you want my advice do nothing except run a PSI scan on Monday/Tuesday & things should look clearer.

Qualy's appears to have it correct as can be seen here:

https://akkkug.bay.livefilestore.com/y1pmkmXIfNwGa...

I am going to unsubscribe after your reply to protect my mail box - you have raised a good point so stand by for comments!

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
mogs RE: IE9 Zombies......
Expert Contributor 22nd Sep, 2012 13:02
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Thanks Maurice ! will do as you suggest.......scan again on Monday. IE is showing "passed" in the Qualys Browser scan. I still use it often as versions change.........regards..........

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: IE9 Zombies......
Handling Contributor 24th Sep, 2012 11:05
Score: 11719
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@Mogs

I have unlocked this thread to report that the issue has been fixed. Both IE 9 32 & 64 Bit now show correctly on all my PC's.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability