Secunia
Login
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Thread: SA35362 vulnerability is marked vendor patched - my ie 7 is full...
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.This thread was submitted in the following forum:
Programs
|
Relating to this vendor: Microsoft |
And, this specific program: Microsoft Internet Explorer 7.x |
| Georgia | SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable |
|---|---|
 |
4th Jul, 2009 17:09 |
|
Ranking: 0 Posts: 4 User Since: 4th Jul, 2009 System Score: N/A Location: N/A |
Secunia and Microsoft Update says IE7 is fully patched. Secunia says this vulnerability was patched by Microsoft in early June 2009. Secunia says there is nothing I can do. Question: I do not understand if Microsoft fixed this vulnerability or not? Why is IE7 showing as not patched - when I have the patch that fixed this vulnerability? IE Version 7.0.5730.11IC KB969897 is applied. which is the patch for XP professional with SP2/SP3 identified on the Secunia advisory page. Thanks |
| Anthony Wells | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
4th Jul, 2009 20:54 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 4th Jul, 2009 20:56 |
Which "tab" on the "Overview" page of PSI in "advanced" mode is showing you a problem. If IE is correctly patched it will be in the "patched" tab ; if not it will be under the insecure" tab . In the "secure browsing" tab it will show as "insecure" , either way , as even when fully patched it still has "holes" in it for which MS have yet to provide a patch . So there is a "risk" if you use it - how big the risk depends on how you protect yourself when "surfing". My version of IE is 7.0.6000.16850. -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| Georgia | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
5th Jul, 2009 19:25 | ||||||||
| Score: 0 Posts: 4 User Since: 4th Jul 2009 System Score: N/A Location: N/A Last edited on 5th Jul, 2009 19:27 |
The error is showing on the secure browsing tab. With the later version of ie 7, is your ie 7 getting flagged as insecure? on 4th Jul, 2009 20:54, Anthony Wells wrote: "In the "secure browsing" tab it will show as "insecure" , either way , as even when fully patched it still has "holes" in it for which MS have yet to provide a patch . So there is a "risk" if you use it - how big the risk depends on how you protect yourself when "surfing"." The Secunia Advisory says the solution status is vendor patch so if IE 7 still has the holes for this vulnerability, it is a contradiction to say it is patched. This is what I am trying to understand. "Microsoft Internet Explorer Multiple Vulnerabilities Secunia Advisory: SA35362 Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment Release Date: 2009-06-09 Last Update: 2009-06-11 Popularity: 4,292 views Critical: Highly critical Impact: Security Bypass System access Where: From remote Solution Status: Vendor Patch" Thanks |
||||||||
|
|||||||||
| Anthony Wells | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
5th Jul, 2009 20:04 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 5th Jul, 2009 20:13 |
My version shows as insecure under secure browsing & shows the advisory reference as SA22628. I only use it via Firefox ( I use the IE Tab add-on in Firefox ) to minimise exposure . As I see it : PSI only used to tell you if you had all the available patches & so were fully patched & "technically" as "secure" as you can get ; but they also indicated that programmes like IE pose a potential security "risk/threat" and later put the coloured bar/category after the programme. These programmes are more likely to be attacked successfully. If you want more advice they have the "advisories" In the (new) secure browsing tab they are adding/highlighting the fact that as well as a "risk category" some programmes have vulnerabilities that could well be exploited now or in the future. These are real vulnerabilities which are not patched , the supplier does not have a patch & so this gives/emphasises the insecure rating. It just means you have to interpret "insecure" in slightly different ways for "patching" and "browsing". Secunia - being cunning Danes - probably chose similar words/terms to make us sit up & take notice of what we are doing. You are obviously safer to update , but even then there will be holes !! -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| Anthony Wells | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
5th Jul, 2009 21:36 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 5th Jul, 2009 21:50 |
Just to let you know that the security risk category/colour bar for my IE in the patched programmes tab leads to SA35362 which refers to the last MS patch available to be applied earlier this month KB969897( I think , successfully , if your IE is in the patched tab ) ; SA22628 in the secure browsing tab refers to the unpatched vulnerability which dates back to 2006 !! & gives IE it's insecure rating. I know , clear as mud . -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| Georgia | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
6th Jul, 2009 00:54 | ||||||||
| Score: 0 Posts: 4 User Since: 4th Jul 2009 System Score: N/A Location: N/A |
on 5th Jul, 2009 21:36, Anthony Wells wrote: Just to let you know that the security risk category/colour bar for my IE in the patched programmes tab leads to SA35362 which refers to the last MS patch available to be applied earlier this month KB969897( I think , successfully , if your IE is in the patched tab ) ; SA22628 in the secure browsing tab refers to the unpatched vulnerability which dates back to 2006 !! & gives IE it's insecure rating. I know , clear as mud . Anthony, You are right. My secured browsing tab now says SA22628 which is not patched. It is exactly as you say. That resolves my issue. Thank you. Internet Explorer 7 Window Injection Vulnerability Secunia Advisory: SA22628 Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment Release Date: 2006-10-30 Popularity: 63,584 views Critical: Moderately critical Impact: Spoofing Where: From remote Solution Status: Unpatched |
||||||||
|
|||||||||
| alan09 | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
16th Aug, 2009 21:59 | ||||||||
| Score: 0 Posts: 2 User Since: 10th Dec 2008 System Score: N/A Location: N/A Last edited on 16th Aug, 2009 22:13 |
After speaking with a Microsoft tech. and going through my comp. for over an hour.I was informed that Secunia is detecting a "Microsoft Update" as being a security threat.These Updates from Microsoft are automatic Updates some of which are uninitiated or seen by the user themselves.I was advised to ignore the problem because it is basically a false positive result.I hope this is helpful to anyone with the same difficulties. -- Alan |
||||||||
|
|||||||||
| Anthony Wells | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
17th Aug, 2009 00:27 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 17th Aug, 2009 00:29 |
Hello Alan , You seem to be using your Email address for your "username" - doing this in a public forum could drop you into Spam hell ; I would suggest you pick another "username" via the "secunia profile" tab in PSI . I am not sure what you are referring to in your post , that is , which MS product , update , etc. is/are involved . Secunia very rarely , if ever , gives a "false positive". Anthony -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| alan09 | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
19th Aug, 2009 13:54 | ||||||||
| Score: 0 Posts: 2 User Since: 10th Dec 2008 System Score: N/A Location: N/A Last edited on 19th Aug, 2009 13:56 |
Thanx Anthony,This is the Microsoft program that Secunia alerted me to and has rated as insecure.I tried to locate this in my files but was unable to after clicking on the Secunia file.It's as if it does not exist. (MSXML) 6.x (64-bit) version 6.101129.0 I tried that direct patch for this program but since my browser is rated as insecure I am not able to use the patch link.Any suggestions? Sorry about the confussion. -- Alan |
||||||||
|
|||||||||
| Anthony Wells | RE: SA35362 vulnerability is marked vendor patched - my ie 7 is fully patched and still shows vulnerable | ||||||||
|
|
19th Aug, 2009 14:14 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A |
Hello Alan , You may find part of the answer on this thread :- http://secunia.com/community/forum/thread/show/147... You'll need to scroll right thru' . There are other threads covering your topic on the Forum . Let us know ow you get on. Anthony -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
