navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Incorrect detection

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe SVG Viewer 3.x

This thread has been marked as locked.
mmmm1 Incorrect detection
Member 14th Feb, 2011 02:50
Ranking: 0
Posts: 5
User Since: 14th Feb, 2011
System Score: N/A
Location: PL
SA15255 says about weakness affecting versions 3.02 and prior. It advises updating to 3.03. I have 3.03 version and PSI detects it as vulnerable and links to this advisory.

---START---

Program Name:
Adobe SVG Viewer 3.x

Security State:
End-of-Life

Download Link:
http://www.adobe.com/svg/viewer/install/

Instances Found:
C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\SVGCore.dll, version: 3, 03, 0, 94

Last System Scan (localtime):
14. Feb 2011, 01:47

Operating System:
Microsoft Windows XP Professional, Service Pack 3

---END---


mogs RE: Incorrect detection
Expert Contributor 14th Feb, 2011 06:59
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello.
See ddmarshall's post on the following thread for more info :-
http://secunia.com/community/forum/thread/show/605...
Hope it helps.......regards,

--
Was this reply relevant?
+1
-1
mmmm1 RE: Incorrect detection
Member 14th Feb, 2011 12:48
Score: 0
Posts: 5
User Since: 14th Feb 2011
System Score: N/A
Location: PL
I've read that before posting. I know I can uninstall SVG Viewer 3.03, but I don't know why is it detected as bad while advisory says this version is OK.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Incorrect detection
Handling Contributor 14th Feb, 2011 13:10
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
It is telling U it is End of Life not bad & clearly points U to the Adobe site with highlights that information.
That means:

1. The vendor (Adobe) have withdrawn all support for it therefore U have no way of telling if it ever becomes vulnerable despite the fact it may well be secure now.

The Risk Assessment on that information is yours:

a. Create an ignore rule - not something I would do with Adobe's security record.

b. Uninstall it - as pointed out already it is not required if your default browser is not IE.

c. If IE is your default & U really want a replacement U have been given some links.

Does that help?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-1
mmmm1 RE: Incorrect detection
Member 14th Feb, 2011 13:22
Score: 0
Posts: 5
User Since: 14th Feb 2011
System Score: N/A
Location: PL
Last edited on 14th Feb, 2011 13:24
on 14th Feb, 2011 13:10, Maurice Joyce wrote:
It is telling U it is End of Life not bad

It is telling in column Threat Rating: "A hacker can typically use this to preform less sensitive actions on your computer."

Isn't that bad?

Other apps which are End-of-Life but no actual advisory have "-" in Threat Rating.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Incorrect detection
Handling Contributor 14th Feb, 2011 18:41
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 14th Feb, 2011 18:47
PSI points U to an Adobe website which clearly states the product was discontinued & therefore unsupported since 2009. Alarm bells should now be ringing.

The download link for SVG on that site does not appear to work so there is little chance of anyone being able to install a vulnerable version except from a "Mickey Mouse" third party download site which is never a good idea.

The knowledge gained from the site(s) available is where a user risk assessment is made.

It appears by having SVG installed could lead to less sensitive information being hacked. Some would risk it - others not. PSI has warned U so it is now a personal choice.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-1
ddmarshall RE: Incorrect detection
Dedicated Contributor 14th Feb, 2011 22:47
Score: 1218
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Is the Program State shown as 'Insecure' or 'End of Life'?

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Incorrect detection
Handling Contributor 14th Feb, 2011 22:49
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Look at the result given by Secunia on his opening post - CLEARLY END OF LIFE

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
mmmm1 RE: Incorrect detection
Member 14th Feb, 2011 23:37
Score: 0
Posts: 5
User Since: 14th Feb 2011
System Score: N/A
Location: PL
Yes, it is listed as End-of-Life, but there is also irrelevant "Install Solution" link and irrelevant security advisory.

on 14th Feb, 2011 18:41, Maurice Joyce wrote:
The download link for SVG on that site does not appear to work so there is little chance of anyone being able to install a vulnerable version


Hm, for me it works fine. But it is version 3.03, not vulnerable one.
Was this reply relevant?
+0
-0
ddmarshall RE: Incorrect detection
Dedicated Contributor 15th Feb, 2011 00:01
Score: 1218
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Strange. It looks a bit like PSI 1.5 used to work. Perhaps a Secunia Official can look into it. If I have time, I will install it on a test system and check if I get the same result as you.

Do you need this program?

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
mmmm1 RE: Incorrect detection
Member 15th Feb, 2011 00:59
Score: 0
Posts: 5
User Since: 14th Feb 2011
System Score: N/A
Location: PL
on 15th Feb, 2011 00:01, ddmarshall wrote:
Do you need this program?


Yes, I use website which requires it on Internet Explorer: http://gddkia.gov.pl/21/mapa-warunkow-drogowych
Was this reply relevant?
+0
-0
Maurice Joyce RE: Incorrect detection
Handling Contributor 15th Feb, 2011 01:08
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What are we testing?

Adobe last updated SVG in April 2005 to version 3.03.

They declared it End of Life in 2009 as follows:

Please note that Adobe has announced that it will discontinue support for Adobe SVG Viewer on January 1, 2009.

PSI is correct. It directs users to a site where a secure version(3.03 which has no outstanding advisories) can be installed BUT having installed it then it immediately becomes End of Life because of Adobe's declared intention in 2009.

The user then has choices from a Risk Assessment:

1. Knowing it is secure at the moment should a risk be taken knowing it is now unsupported?

2. Is it required? If an IE only user with XP that is possible. All other browsers plus IE9 support SVG.


This part of the opening post is a little confusing.
"I have 3.03 version and PSI detects it as vulnerable and links to this advisory"

The report created by PSI & posted to the Forum makes no mention of an advisory. The link given by PSI points here: http://www.adobe.com/svg/viewer/install/ which clearly states that SVG is End Of Life.

I can see the point being asked. If version 3.03 is already installed why has PSI given a download link as a solution. The answer is to help those who have previous versions who might want to update to a secure version & then run the risk of an unsupported programme.

The bottom line is SVG is End of Life whatever version is installed and that is what PSI is clearly stating. The download link given as a solution is for those who do not have the secure version 3.03 installed.

@mmmm1 - from your last post I can see U want it. That is not a problem. On the basis that it has been secure since 2005 the risk of using it appear slight. Just note it is End of Life and be a bit careful.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
ddmarshall RE: Incorrect detection
Dedicated Contributor 15th Feb, 2011 10:48
Score: 1218
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Having read through the PSI manual again, it seems that this is the intended behaviour for an End-of-Life program. The threat rating shows the rating for the last patch and the update link is to get to the vendor's website to check for a later version. Showing the threat level when the version installed is fully patched seems illogical.

As you have XP, you cannot use Internet Explorer 9 which will support SVG. So you will have to continue using this viewer if you cannot use another browser such as Firefox or Chrome with this site.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+