Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Problems with .NET Framework 1.x,2.x.3.x,4.x

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as resolved.
jimworzala Problems with .NET Framework 1.x,2.x.3.x,4.x
Member 3rd Jan, 2011 21:42
Ranking: 0
Posts: 4
User Since: 14th Nov, 2009
System Score: N/A
Location: US
I am having a problem with 4 programs showing as Insecure. They are:

Microsoft .NET Framework 4.x Version detected:4.0.30319.1
Microsoft .NET Framework 3.x Version detected:3.0.4506.2152
Microsoft .NET Framework 2.x Version detected:2.0.50727.3618
Microsoft .NET Framework 1.x Version detected:1.1.4322.2470

My Operating System is Microsoft Windows XP Home Edition, Service Pack 3.

All 4 detailed listings show the same Missing Microsoft Patch (KB number):KB2416473.
They also all show the same path: C:\WINDOWS\Microsoft.NET\Framework\Vx.x

I tried Microsoft update, and it found no updates related to those programs, but it did find a few others, which I installed. I then ran a full scan which returned the same 4 programs listed as insecure.

I tried looking up these programs on the Forum, and found a thread that said to reeboot, rerun Microsoft update and then rescan. When I tried this, I got the same results.

When I double click the programs, I get an odd result in the quick facts section. It says:

This program was detected as Insecure, it is strongly recommended that you apply the latest security patch from the vendor of the program.

The version detected of Microsoft .NET Framework 1.x was 1.1.4322.2470 while the latest version including one or more security fixes is .

Note that there is no latest version number listed.

What do I do next?

Post "RE: Problems with .NET Framework 1.x,2.x.3.x,4.x" has been selected as an answer.
Maurice Joyce RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Handling Contributor 3rd Jan, 2011 21:56
Score: 11733
Posts: 8,982
User Since: 4th Jan 2009
System Score: N/A
Location: UK
When U completed a Microsoft Update did U use the Express Button or Custom?

Those file numbers do not look correct.

Try another Microsoft update & use the Custom Button option. U may find some missing updates there.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
mogs RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Expert Contributor 3rd Jan, 2011 22:13
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 3rd Jan, 2011 22:16
Hello.
Below is a copy of the Secunia Advisory for .NET 1.....

http://secunia.com/advisories/product/667/
If you have information about a new or an existing vulnerability in Microsoft .NET Framework 1.x then you are more than welcome to contact us.


Vendor, Links, and Unpatched Vulnerabilities

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 13 Secunia advisories
24 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 23% (3 of 13 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft .NET Framework 1.x, with all vendor patches applied, is rated Moderately critical .


It therefore seems that even when fully patched, it is still vulnerable.
I was gonna include some previous info regarding .NET problems....but Maurice will more aware of anyrate....regards,

--
Was this reply relevant?
+1
-0
jimworzala RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Member 3rd Jan, 2011 22:28
Score: 0
Posts: 4
User Since: 14th Nov 2009
System Score: N/A
Location: US
Maurice,
I ran it in custom, I believe most of the updates that I installed were optional, not critical.

mogs,
I'm really not sure what all of that stuff on the linked page means. I'm just trying to find out if I have a security issue that I need to take care of, or if there is some problem with PSI.
Was this reply relevant?
+0
-0
mogs RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Expert Contributor 3rd Jan, 2011 22:42
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
The Advisory is showing that if all the vendor patches available are applied....it still leaves a Moderately critical vulnerability in .NET Framework 1.
I've checked the other versions against information gotten from previous threads, and the remainder versions seem to tally....for XP. Unless they've changed since, it would seem that the issue is with .NET 1 only.

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Handling Contributor 3rd Jan, 2011 22:42
Score: 11733
Posts: 8,982
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Is there a reason U have .Net Framework 4 installed - it is an optional install & has been troublesome to many. It looks like U are missing 3.5 SP1.

My advice is to uninstall .NET 4 (there are two entries in Control Panel>add/remove)which both require removal.

Install SP1 from here:

http://support.microsoft.com/kb/2416473

Reboot

Complete a full PSI rescan - has that cleared it?

U can always reinstall 4 at any time.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Expert Contributor 3rd Jan, 2011 22:46
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Just checked the Advisories for .NET 2,3 and 4....they are not showing any vulnerabilites.

--
Was this reply relevant?
+0
-0
jimworzala RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Member 4th Jan, 2011 15:42
Score: 0
Posts: 4
User Since: 14th Nov 2009
System Score: N/A
Location: US
Maurice,

I made a small mistake when going to remove 4.0. There is a remove and a repair mode. I clicked repair by mistake, and decided to wait for it to finish before removing it. As I was waiting and after it started reinstalling the program, I got a balloon from PSI saying that it was now secure! I decided to try the same process for all of them.

I found out that although there is no button for a repair process for any of them earlier than 3.5, if you click on change/remove on the Add Programs menu, it appears to reinstall them for you, presumably from the backups. The only exception is 1.1 which only asks you if you want to uninstall. That one I just left alone (clicked no).

After doing this, I rebooted and found that all are now marked secure. Thank you for your help. I wonder if this is all related to a chkdsk procedure that I recently performed. They had all been secure before that.

On a related note, I do have Framework 3.5 listed in the Add/Change Program list, but it does not show up in the list of Programs from Secunia. Are they not checking that one? I would think that it should show up separately from Framework 3.x. Perhaps they should have 3.0.x and 3.5.x .
Was this reply relevant?
+0
-0
Maurice Joyce RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Handling Contributor 4th Jan, 2011 17:02
Score: 11733
Posts: 8,982
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 4th Jan, 2011 17:06
Magic - nothing to do with Check Disk. .NET gets a bit confused when version 4 is installed.

If U are telling me U are 100% secure after a full PSI scan can I ask that U lock (ACCEPT) the thread to prevent any more "tag on" posts from filling our email boxes with updates.

EDIT: Sorry missed a bit. 3.5 SP1 is considered a roll up fix install. I would not expect them to asste track it.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
jimworzala RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Member 4th Jan, 2011 18:10
Score: 0
Posts: 4
User Since: 14th Nov 2009
System Score: N/A
Location: US
Last edited on 4th Jan, 2011 18:13
Yes, 100% secure. Do you think I should remove .Net 4.0? What happens if something I am doing needs that version? Have you removed it from your computer?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Problems with .NET Framework 1.x,2.x.3.x,4.x
Handling Contributor 4th Jan, 2011 19:34
Score: 11733
Posts: 8,982
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 4th Jan, 2011 23:27
If it is now OK keep it. It will be a fair while before any programme calls on it to work in which case U are ready.

EDIT: Sorry I have not answer all your question. I have not got it installed but, as I have said, U have safely and securely so I would leave it.

.NET Framework 4 is similar in one respect to Oracle JAVA, Adobe AIR & Adobe Shockwave. If a programme "calls on them to work" it will either install it for U or give a clear message to install it.

On that basis I class them as pure bloatware until such time as required. Windows works perfectly well without them so will most other things.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability