Re: Vulnerability scanner for MS05-039

[Chris Russel <russel () YORKU CA>]

On Wed, 17 Aug 2005, Robert Kerr wrote:

> On Tue, 2005-08-16 at 14:17 -0500, Graham Toal wrote:
> > I have a *lot* of these:
>
> > 445 MS04-007 SECURE:MS04-011 SECURE:MS05-039 INCONCLUSIVE [0000f203]
>
> > Any ideas what the Inconclusive means in that context?  They're all XPs.
> > Some of themmay not have rebooted yet despite already having received the
> >  patch.
> > (We pushed out the updates last week using SMS)
>
> To exploit this vulnerability with XP SP1 or above valid logon
> credentials are required:
>
> http://www.microsoft.com/technet/security/advisory/899588.mspx
>
> Seeing as the scanner doesn't have valid logon credentials it's not
> possible for it to determine for sure whether such machines are patched
> or not. At least that's my understanding.

Thanks, that is correct for the vast majority of the INCONCLUSIVES. I
don't like to say they are patched when I can't tell. There may be a few
vulnerable that report as inconclusive - I am waiting for more
information from some people to follow up on that.

Although rare on fast networks, in some cases it may be related to the
receive timeout.  I run it with a longer timeout than the default, you can
try "-r 1800". (yes I might change the default...)

--
Chris Russel
Manager CNS Information Security
York University, Toronto, Canada