Solved

PCI Scan- Microsoft Security Bulletin MS10-040 and KB982666

Posted on 2014-03-17
1
834 Views
Last Modified: 2014-04-24
I just received a failure on our PCI scan and one of the failures was for KB982666.  We have SBS 2011 Standard 64bit SP1 and the WSUS server shows that I do not need that security update.  But if you read the bulletin it says I don't and that I do.

"Is my computer vulnerable if I have not installed KB973917?
Systems running supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008 that do not have KB973917 installed are not vulnerable. Systems running supported editions of Windows 7 and Windows Server 2008 R2 are vulnerable."

And actually there were 4 security bulletins that were given for the failure and all the KB security updates in them our server shows they are not needed.  I am not sure if I should be downloading these manually and install them.  Any suggestions?
0
Comment
Question by:gseales
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39936077
The scanner probably just doing diligence to check on the latest and completeness of the various OS security patches applied compared to your target server. Not all scan findings can be true positive hence the need to make the assessment on the relevance and impacts of the findings. In this KB, it applies for IIS and if server dont even have IIS then it is not relevant at all.  

Having said that, the point is trust but verify. In this KB, it is supposed to have the extended protection enabled which is supposed to enhance the IIS security. When MS say that it is not applicable or not "affected" is on the basis that this feature is disabled, hence not "affected". So if you look at the kb973917, you can verify from registry if it is enabled or disabled - just to confirm. Then again, if this is disabled, it also means  the server is subjected to other form of attacks like man in the middle etc which Extended protection is supposed to prevent and protect against.  

For other false positive if deem, it is always best to verify again. But having to pass pci scan does not ascertain the state of server is secure too. So it is still best to have the latest patch applied as well (my personnel view)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now