Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: SA35362 vulnerability is marked vendor patched - my ie 7 is full...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Internet Explorer 7.x

This thread has been marked as locked.
Georgia SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Member 4th Jul, 2009 17:09
Ranking: 0
Posts: 4
User Since: 4th Jul, 2009
System Score: N/A
Location: N/A
Secunia and Microsoft Update says IE7 is fully patched.
Secunia says this vulnerability was patched by Microsoft in early June 2009.
Secunia says there is nothing I can do.

Question:
I do not understand if Microsoft fixed this vulnerability or not? Why is IE7 showing as not patched - when I have the patch that fixed this vulnerability?

IE Version 7.0.5730.11IC
KB969897 is applied. which is the patch for XP professional with SP2/SP3 identified on the Secunia advisory page.


Thanks

Anthony Wells RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Expert Contributor 4th Jul, 2009 20:54
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 4th Jul, 2009 20:56
Which "tab" on the "Overview" page of PSI in "advanced" mode is showing you a problem.

If IE is correctly patched it will be in the "patched" tab ; if not it will be under the insecure" tab .

In the "secure browsing" tab it will show as "insecure" , either way , as even when fully patched it still has "holes" in it for which MS have yet to provide a patch . So there is a "risk" if you use it - how big the risk depends on how you protect yourself when "surfing".

My version of IE is 7.0.6000.16850.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Georgia RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Member 5th Jul, 2009 19:25
Score: 0
Posts: 4
User Since: 4th Jul 2009
System Score: N/A
Location: N/A
Last edited on 5th Jul, 2009 19:27
The error is showing on the secure browsing tab.

With the later version of ie 7, is your ie 7 getting flagged as insecure?

on 4th Jul, 2009 20:54, Anthony Wells wrote:

"In the "secure browsing" tab it will show as "insecure" , either way , as even when fully patched it still has "holes" in it for which MS have yet to provide a patch . So there is a "risk" if you use it - how big the risk depends on how you protect yourself when "surfing"."



The Secunia Advisory says the solution status is vendor patch so if IE 7 still has the holes for this vulnerability, it is a contradiction to say it is patched. This is what I am trying to understand.

"Microsoft Internet Explorer Multiple Vulnerabilities
Secunia Advisory: SA35362
Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2009-06-09
Last Update: 2009-06-11
Popularity: 4,292 views

Critical:
Highly critical
Impact: Security Bypass
System access
Where: From remote
Solution Status: Vendor Patch"

Thanks
Was this reply relevant?
+0
-0
Anthony Wells RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Expert Contributor 5th Jul, 2009 20:04
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Jul, 2009 20:13
My version shows as insecure under secure browsing & shows the advisory reference as SA22628. I only use it via Firefox ( I use the IE Tab add-on in Firefox ) to minimise exposure .

As I see it :

PSI only used to tell you if you had all the available patches & so were fully patched & "technically" as "secure" as you can get ; but they also indicated that programmes like IE pose a potential security "risk/threat" and later put the coloured bar/category after the programme. These programmes are more likely to be attacked successfully. If you want more advice they have the "advisories"

In the (new) secure browsing tab they are adding/highlighting the fact that as well as a "risk category" some programmes have vulnerabilities that could well be exploited now or in the future. These are real vulnerabilities which are not patched , the supplier does not have a patch & so this gives/emphasises the insecure rating.

It just means you have to interpret "insecure" in slightly different ways for "patching" and "browsing".

Secunia - being cunning Danes - probably chose similar words/terms to make us sit up & take notice of what we are doing.

You are obviously safer to update , but even then there will be holes !!


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Anthony Wells RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Expert Contributor 5th Jul, 2009 21:36
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Jul, 2009 21:50

Just to let you know that the security risk category/colour bar for my IE in the patched programmes tab leads to SA35362 which refers to the last MS patch available to be applied earlier this month KB969897( I think , successfully , if your IE is in the patched tab ) ; SA22628 in the secure browsing tab refers to the unpatched vulnerability which dates back to 2006 !! & gives IE it's insecure rating.

I know , clear as mud .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Georgia RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Member 6th Jul, 2009 00:54
Score: 0
Posts: 4
User Since: 4th Jul 2009
System Score: N/A
Location: N/A
on 5th Jul, 2009 21:36, Anthony Wells wrote:
Just to let you know that the security risk category/colour bar for my IE in the patched programmes tab leads to SA35362 which refers to the last MS patch available to be applied earlier this month KB969897( I think , successfully , if your IE is in the patched tab ) ; SA22628 in the secure browsing tab refers to the unpatched vulnerability which dates back to 2006 !! & gives IE it's insecure rating.

I know , clear as mud .


Anthony,
You are right. My secured browsing tab now says SA22628 which is not patched. It is exactly as you say.

That resolves my issue.

Thank you.

Internet Explorer 7 Window Injection Vulnerability
Secunia Advisory: SA22628
Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2006-10-30
Popularity: 63,584 views

Critical:
Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Was this reply relevant?
+0
-0
alan09 RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Member 16th Aug, 2009 21:59
Score: 0
Posts: 2
User Since: 10th Dec 2008
System Score: N/A
Location: N/A
Last edited on 16th Aug, 2009 22:13
After speaking with a Microsoft tech. and going through my comp. for over an hour.I was informed that Secunia is detecting a
"Microsoft Update" as being a security threat.These Updates from Microsoft are automatic Updates some of which are uninitiated or seen by the user themselves.I was advised to ignore the problem because it is basically a false positive result.I hope this is helpful to anyone with the same difficulties.

--
Alan
Was this reply relevant?
+0
-0
Anthony Wells RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Expert Contributor 17th Aug, 2009 00:27
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 17th Aug, 2009 00:29
Hello Alan ,

You seem to be using your Email address for your "username" - doing this in a public forum could drop you into Spam hell ; I would suggest you pick another "username" via the "secunia profile" tab in PSI .

I am not sure what you are referring to in your post , that is , which MS product , update , etc. is/are involved . Secunia very rarely , if ever , gives a "false positive".

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
alan09 RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Member 19th Aug, 2009 13:54
Score: 0
Posts: 2
User Since: 10th Dec 2008
System Score: N/A
Location: N/A
Last edited on 19th Aug, 2009 13:56
Thanx Anthony,This is the Microsoft program that Secunia alerted me to and has rated as insecure.I tried to locate this in my files but was unable to after clicking on the Secunia file.It's as if it does not exist.
(MSXML) 6.x (64-bit) version 6.101129.0 I tried that direct patch for this program but since my browser is rated as insecure I am not able to use the patch link.Any suggestions? Sorry about the confussion.

--
Alan
Was this reply relevant?
+0
-0
Anthony Wells RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable
Expert Contributor 19th Aug, 2009 14:14
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Alan ,

You may find part of the answer on this thread :-

http://secunia.com/community/forum/thread/show/147...

You'll need to scroll right thru' . There are other threads covering your topic on the Forum .

Let us know ow you get on.

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability