Solved

PCI Scan- Microsoft Security Bulletin MS10-040 and KB982666

Posted on 2014-03-17
1
837 Views
Last Modified: 2014-04-24
I just received a failure on our PCI scan and one of the failures was for KB982666.  We have SBS 2011 Standard 64bit SP1 and the WSUS server shows that I do not need that security update.  But if you read the bulletin it says I don't and that I do.

"Is my computer vulnerable if I have not installed KB973917?
Systems running supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008 that do not have KB973917 installed are not vulnerable. Systems running supported editions of Windows 7 and Windows Server 2008 R2 are vulnerable."

And actually there were 4 security bulletins that were given for the failure and all the KB security updates in them our server shows they are not needed.  I am not sure if I should be downloading these manually and install them.  Any suggestions?
0
Comment
Question by:gseales
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39936077
The scanner probably just doing diligence to check on the latest and completeness of the various OS security patches applied compared to your target server. Not all scan findings can be true positive hence the need to make the assessment on the relevance and impacts of the findings. In this KB, it applies for IIS and if server dont even have IIS then it is not relevant at all.  

Having said that, the point is trust but verify. In this KB, it is supposed to have the extended protection enabled which is supposed to enhance the IIS security. When MS say that it is not applicable or not "affected" is on the basis that this feature is disabled, hence not "affected". So if you look at the kb973917, you can verify from registry if it is enabled or disabled - just to confirm. Then again, if this is disabled, it also means  the server is subjected to other form of attacks like man in the middle etc which Extended protection is supposed to prevent and protect against.  

For other false positive if deem, it is always best to verify again. But having to pass pci scan does not ascertain the state of server is secure too. So it is still best to have the latest patch applied as well (my personnel view)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question