Forum Thread: .NET Framework 4.x - Suspect False Alerting

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
RxDdude .NET Framework 4.x - Suspect False Alerting
Member 28th Oct, 2010 08:42
Ranking: 4
Posts: 33
User Since: 20th Aug, 2009
System Score: N/A
Location: US
Last edited on 28th Oct, 2010 09:03

My last 2 scans (only) with PSI v1.5.0.2 have alerted on .NET Frameworks 1.1, 2.0, 3.0, and 4.0, in Windows XP Professional x86 (32-bit) SP3. There are various problems with these various warnings. This thread will address only 4.0, for which SA41751 is identified as the applicable Advisory.

The issue as I see it is, SA 41751 itself says, "The vulnerability only affects Microsoft .NET Framework 4.0 on the x64 and Itanium architectures."

It would be my contention that, therefore, this alert is a false alert for the given system, and Secunia PSI ought not to display an insecurity for the subject .NET Framework 4.0.30319.1.

FYI-1. When I accessed Microsoft Update on the web, it offered only 2 critical updates (see FYI-2., below) and two optionals, but nothing affecting .NET Framework 4.0; and I will note that Add/Remove programs shows that both .NET Framework 4 Client Profile and .Net Framework 4 Extended are installed, both are ID'ed in their Support Information popups as v4.0.30319, and for 4.0 Extended only, there is one patch installed, KB2416472. There is no patch available from Microsoft Update for the .NET v4.0 in Win XP Pro x86 SP3. Therefore, nothing can be done to patch this.

FYI-2. Windows' Automatic Updater and the Update website have repeatedly offered KB2418241 patch for .NET F'works 2.0 SP2 and 3.5 SP1, and also KB2416473 for 3.5 SP1, but nothing for 1.1, 3.0, or 4.0. These patches for 2.0 and 3.5 have failed of installation ever since they came out, i.e. approx. ten (10) tries. Is this possibly relevant?

Paths:
3.0.4506.2152 = D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
4.0.30319.1 = D:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSv cHost.exe

3.5 - SMSvcHost.* is not found in any subfolder. A/RP lists 3.5 SP1 with 2 Hotfixes KB953595 and KB958484 plus one Update KB963707.

With hope that this will be received as helpfully intended, it is requested that Secunia PSI definitions should be updated to remove the false alert when the installed OS is an x86 version, and, if I may venture to include this, PSI should alert me on the v3.5 - for the patches above.

--

mogs RE: .NET Framework 4.x - Suspect False Alerting
Member 28th Oct, 2010 10:02
Score:
Posts: 6,279
User Since: 22nd Apr 2009
System Score: N/A
Location: UK
Hello.
There have been various threads over recent weeks, concerning .NET problems...the general advice is to take as much time as possible in trying to unravel.
The following thread; and Maurice Joyce's post in particular, are a good place to start :
http://secunia.com/community/forum/thread/show/424...
Since then there have been further updates....the current arrangement for XP being as follows :-
2.0.50727.3618
3.0.4506.2152
4.0.30319.1
And of those, I'm assured, of .NET 4, there is no need.
I would advise reading thro' the foregoing first.
Hope this helps............regards,

--
Was this reply relevant?
+2
-0
Blue Zee RE: .NET Framework 4.x - Suspect False Alerting
Member 28th Oct, 2010 12:53
Score: 11
Posts: 4
User Since: 18th Oct 2010
System Score: 100%
Location: PT
Windows XP SP3

Went through the same pain and the only way I found to solve this was by uninstalling all versions of .NET Framework, using Aaron Stebner's .NET Framework Cleanup Tool to clean all remnants:
http://blogs.msdn.com/b/astebner/archive/2008/08/2...

Reinstalled .NET Framework (excluding version 4!) and finally got it sorted.

Couldn't find any other way.

--
Sometimes the alphabet starts with Z...
Was this reply relevant?
+2
-0
RxDdude RE: .NET Framework 4.x - Suspect False Alerting
Member 30th Oct, 2010 07:38
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Mogs, thanks for the helpful inputs. I am not quite ready to ACCEPT because the issue isn't resolved until the false positive alert is resolved. I don't know, maybe you are official Secunia responder, maybe not. A couple of items -

1. It looks to me like this issue highlights a Bug that ought to be reported formally. Do you agree? If so, can you please advise me how to escalate a bug report, and to whom? I would like this thread to close, once we can post a statement of what the client needs to do, along with Secunia's action decision, positive or negative, and results of the client's experience with the suggested fix.

2. You gave a list of .NET Frameworks latest version numbers that is helpful, confirming that mine match yours, but the list omitted the .NET Framework v3.5. I cannot get my latest 3.5 version number from Add/Remove Programs just now because I am working just now in a Limited User Account in which Windows refuses me access to A/RP. I will post the 3.5 v-no. later if you choose not to.

3. Having scoured the Forum for answers on other issues, I have found it to be annoying when first a problem is reported, then in reply an expert offers suggestions, but no one ever reports whether the suggestions resolved the issue or not for the originator. This leaves uncertainties in the mind and inhibits (for me, at least) one's desire to follow the often arcane and time-consuming, detailed instructions of the expert.
(The sidebar does not show me an obvious Bug Reporting tool.) But enough on this. Please give me advice on reporting this bug to Secunia.

--
Was this reply relevant?
+0
-0
RxDdude RE: .NET Framework 4.x - Suspect False Alerting
Member 30th Oct, 2010 08:05
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Last edited on 30th Oct, 2010 08:09


--
Was this reply relevant?
+0
-0
mogs RE: .NET Framework 4.x - Suspect False Alerting
Member 30th Oct, 2010 10:00
Score:
Posts: 6,279
User Since: 22nd Apr 2009
System Score: N/A
Location: UK
Hello again FallingRock.
Firstly....Secunia Officials are those with the title coloured Secunia red. You can direct a thread to, on the forum if you wish. You can also contact support@secunia.com at any time to report a matter.
I can understand your disgruntlement with regard to your .NET 4 problem...tho' I'm not exactly sure of where you're at with it. Have you now in fact removed .NET 1 and .4 : as you say the versions correspond to those previously given ?
As you can see from my details below, I use Vista......I too at one time had .NET 3.5 showing: it disappeared a while ago when updated....I have no info regarding a version number for such, to be able to confirm/correlate. One reason why having referred earlier to Maurice's post for background.
It is up to the originator of a thread to show that a matter has been resolved....very often tho': in very many instances; they are heard no more of......a disatisfying scenario for helpers too.
Wherever possible, helpers try to guide to solutions/info that have been found to work....not a perfect system maybe...but the overall success of the forum seems quite phenomenal to me.
I hope the foregoing is of some use and you find it possible to move on with it......regards,

--
Was this reply relevant?
+2
-1

This thread has been marked as locked.