Solved

PCI Scan- Microsoft Security Bulletin MS10-040 and KB982666

Posted on 2014-03-17
1
839 Views
Last Modified: 2014-04-24
I just received a failure on our PCI scan and one of the failures was for KB982666.  We have SBS 2011 Standard 64bit SP1 and the WSUS server shows that I do not need that security update.  But if you read the bulletin it says I don't and that I do.

"Is my computer vulnerable if I have not installed KB973917?
Systems running supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008 that do not have KB973917 installed are not vulnerable. Systems running supported editions of Windows 7 and Windows Server 2008 R2 are vulnerable."

And actually there were 4 security bulletins that were given for the failure and all the KB security updates in them our server shows they are not needed.  I am not sure if I should be downloading these manually and install them.  Any suggestions?
0
Comment
Question by:gseales
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39936077
The scanner probably just doing diligence to check on the latest and completeness of the various OS security patches applied compared to your target server. Not all scan findings can be true positive hence the need to make the assessment on the relevance and impacts of the findings. In this KB, it applies for IIS and if server dont even have IIS then it is not relevant at all.  

Having said that, the point is trust but verify. In this KB, it is supposed to have the extended protection enabled which is supposed to enhance the IIS security. When MS say that it is not applicable or not "affected" is on the basis that this feature is disabled, hence not "affected". So if you look at the kb973917, you can verify from registry if it is enabled or disabled - just to confirm. Then again, if this is disabled, it also means  the server is subjected to other form of attacks like man in the middle etc which Extended protection is supposed to prevent and protect against.  

For other false positive if deem, it is always best to verify again. But having to pass pci scan does not ascertain the state of server is secure too. So it is still best to have the latest patch applied as well (my personnel view)
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question