Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: false positive

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
newpost false positive
Member 7th Aug, 2010 18:04
Ranking: 2
Posts: 34
User Since: 7th Aug, 2010
System Score: N/A
Location: DE
Last edited on 7th Aug, 2010 18:07

Hi there,

I have this problem fixed since monday and psi is giving a false positive:
http://secunia.com/advisories/40647/

I just wanted to inform you.

Anthony Wells RE: false positive
Expert Contributor 7th Aug, 2010 18:48
Score: 2437
Posts: 3,322
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Aug, 2010 18:58
Hello again newpost ,

If you are saying tat KB2286198 has been applied to your computer , then in order to help you further you need to use the PSI in "advanced" mode ; as a new poster to the Forum , here are some tips on using PSI in "advanced" mode (the link to advanced" is at the top right corner of the PSI page) :-

Click on each/all the tabs and there is plenty of written advice about what each tab contains .

If a "problem" shows in the "insecure" or "end of life" tabs , then to help resolve any problem , here are some instructions to help you first of all get the best out of PSI :-

1)use PSI in "advanced" mode ;
2)in the "settings" tab make sure that the box in the first/upper section is NOT ticked in order to have the maximum info available ;
3)tell us in which "tab(s)" your problem programme is located ;
4)in that tab , click on the + in the box at the left end of the programme , the page will expand ;
5)in the expanded page , tell us what is written in the "installation path" ;
6)in the "toolbox" section , lower down , the link "technical details" should confirm the installation path details ;
7)click on the link "open folder" and you will see more details concerning the location of the "problem" .

You need to tell us (minimum) the "installation path" data for each programme that is giving you a problem and we can deal with them one at a time .

Which version of the PSI are you using ?? Also which OS and which browsers are you using ??

Anthony

EDIT : for a Microsoft update to show correctly you must reboot and run a full rescan , recheck for updates at "microsoftupdates" and reboot and run a full rescan ; repeat this until no updates are offered .


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
thedillpickl RE: false positive
Contributor 7th Aug, 2010 18:59
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi newpost;

Long time, no see. :)

The SA cited is the 'bad' one regarding shortcut hijacking, even by USB thumb drive insertion. This update may have been a problem to resolve, I will check into and get back.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
newpost RE: false positive
Member 7th Aug, 2010 23:06
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
Hi,

could you do something that I can see your posts when writing the anwser to it. It is very bad not seeing them by anwsering. A list below would be nice so far I try another tab. Thank you in advance.

@Anthony Wells: I'm using psi quite long.

Here you go:
1) all the time
2) all the time
3) unsecure, it is the second tab
4) ok, i know
5) only "N/A". And detected version is Service Pack 3. So it does not say much. Under online reference you have this: http://secunia.com/advisories/40647/
6) no installation path details there, not joking!
7) no chance, grayed out and not working at all!

installation path: see above, no chance.

1.5.0.2, Windows XP SP3 with all security patches, Firefox 3.6.8 and portable version also, and Opera@USB (it is portable). Internet Explorer installed but not used!

I am quite sure that I rebooted at least one time since last monday. Yes full rescan for sure. I used a update scanner and it says also that every security patch is installed so there is nothing to do in this direction! And the false positive is in the installed software list of the OS. I have done everything possible I think.

@thedillpickl: It would be interesting to hear what you found out.
Was this reply relevant?
+0
-0
newpost RE: false positive
Member 7th Aug, 2010 23:11
Score: 2
Posts: 34
User Since: 7th Aug 2010
System Score: N/A
Location: DE
So I know it is for sure a false positive and as I have two other possible false positives I will take care of the other as I don't have time for it at all. Bye.
Was this reply relevant?
+0
-0
thedillpickl RE: false positive
Contributor 9th Aug, 2010 01:57
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 9th Aug, 2010 02:04
Hi newpost;

The SA you cite in the first post & the fact that MS did not wait for the second Tuesday updates say it all. This is a nasty little bugger, with Secunia rating 4 of 5 (Highly Critical). "Successful exploitation does not normally require any interaction...", which means they can 'getcha' without you doing anything but being there.

Here's the 'red alert' from MS: http://www.microsoft.com/technet/security/Bulletin...

In http://support.microsoft.com/kb/2286198 , under "File Information", this is what's in the update for XP 32 bit (I condensed the chart).

For all supported x86-based versions of Windows XP
File name......File version......SP.....Service branch
Shell32.dll.....6.0.2900.6018..SP3....GDR
Shell32.dll.....6.0.2900.6018..SP3....QFE
Updspapi.dll..6.3.13.0...........None..Not Applicable

Note: These files are internal to XP (among other OS's), so that is why no "Installation Path" or "Open Folder" is available.

I have applied the MS update for KB2286198 to my Acer laptop, which runs on XP Home. It installed fine & PSI reports XP as secure again. Updating my HP machine (XP Pro) as I write this. Expanding the description of the update, MS says,

"Typical download size: 551 KB , 3 minutes
A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system." (blah, blah)

Note: Having done the update on the Acer, I know a reboot is required. You said that a reboot, followed by a full scan by PSI was performed. (Sorry, I have to ask, some miss this point.) Was the reboot from a fully powered down state? Sleep & Hibernate are not the same.

Suggestion: If you're up to it, use "Search" to find what folder in Windows these files are in and see if older versions are present. For some reason, the installer may have not removed them. In either case, I would go to Add/Remove, check the "Show updates" box at the top. All the way at the bottom of "Window XP - Software Updates" you will find KB2286198, remove it and reinstall, reboot, rescan, to find if problem persists.

I'm off to reboot my HP to find if the update worked there!


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability