locked
Vulnerability CVE-2010-3332 and Patch KB2416472 and Conflict with .Net 4.0 RRS feed

  • Question

  • The MS10-070: Description of the security update for Microsoft.NET Framework 4. kb2416472 states that the security update NDP40-KB2416472-x64.exe (timestamp ‎Wednesday, ‎September ‎22, ‎2010 6:21:53 PM)  installs the below listed files:

    GDR files

    Collapse this tableExpand this table

    File name

    File version

    File size

    Date

    Time

    System.Web.Extensions.dll

    4.0.30319.206

    1,836,904

    22-Sep-2010

    12:54

    System.Web.dll

    4.0.30319.206

    5,146,960

    22-Sep-2010

    13:21

    System.Web.dll

    4.0.30319.206

    5,176,144

    22-Sep-2010

    12:55

    Currently our server has these versions installed:

    File Name                                            File Version                        Date

    System.Web.dll                                4.0.30319.34237                7/24/2014

    System.Web.Extensions.dll         4.0.30319.34237                7/24/2014

    SHOULD WE INSTALL OLD VERSION AND OVER-WRITE CURRENT .NET 4.0?  PLEASE EXPLAIN EFFECT OF THE PATCH.
    • Moved by Amy Wang_ Thursday, November 13, 2014 10:00 AM Update related from Security forum
    Wednesday, November 12, 2014 3:30 PM

Answers

  • Scan detects threat vulnerability CVE-2010-3332 and fix is to install KB2416472 patch needed to pass and maintain compliance.

    Methinks you need to update your scanner. Any scanner that's whining about a four year old CVE that's been re-patched a dozen times since then is NOT looking at current vulnerability information.

    You *CANNOT* install KB2416472 (MS10-070).

    This update was superseded by KB2656351 (MS11-100).

    That update was superseded by KB2858302 (MS13-082).

    Which is the current Security Update for that CVE (and several others).

    But even then, we can see that you have NEWER versions of those files than is even provided by MS13-082, so any attempt to install any of those older updates will simply **FAIL**.

    The problem is not the patch level of the target system; the problem is a false positive from your scanner.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Proposed as answer by Ben Herila [MSFT] Tuesday, November 18, 2014 5:35 PM
    • Marked as answer by SBPrev Tuesday, November 18, 2014 8:49 PM
    Sunday, November 16, 2014 7:09 PM
  • We disputed findings successfully and meet compliance criteria.  Thank you for your thoughtful and informative response which was correct.

    SBPrev

    • Marked as answer by SBPrev Tuesday, November 18, 2014 8:55 PM
    Tuesday, November 18, 2014 8:55 PM

All replies

  • AFAICS this post should be moved to the .NET Framework Setup and Servicing forum.

    Rolf Lidvall, Swedish Radio (Ltd)

    Thursday, November 13, 2014 1:53 PM
  • SHOULD WE INSTALL OLD VERSION AND OVER-WRITE CURRENT .NET 4.0?  PLEASE EXPLAIN EFFECT OF THE PATCH.

    You have a newer version of the files already installed, and you're comparing this against a four year old patch. Consider how many times .NET4 has been patched since September, 2010?

    Don't overthink the patch! Almost certainly that patch is not shown as needed by this system, so why force something that lacks in practicality?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, November 14, 2014 12:18 AM
  • Practical purpose of request is due to failure by Trustwave scan of server for payment card industry (PCI) compliance.  Scan detects threat vulnerability CVE-2010-3332 and fix is to install KB2416472 patch needed to pass and maintain compliance.  Do you have insight into installing 2010 patch as previously asked? 

    SBPrev

    Friday, November 14, 2014 3:09 PM
  • Scan detects threat vulnerability CVE-2010-3332 and fix is to install KB2416472 patch needed to pass and maintain compliance.

    Methinks you need to update your scanner. Any scanner that's whining about a four year old CVE that's been re-patched a dozen times since then is NOT looking at current vulnerability information.

    You *CANNOT* install KB2416472 (MS10-070).

    This update was superseded by KB2656351 (MS11-100).

    That update was superseded by KB2858302 (MS13-082).

    Which is the current Security Update for that CVE (and several others).

    But even then, we can see that you have NEWER versions of those files than is even provided by MS13-082, so any attempt to install any of those older updates will simply **FAIL**.

    The problem is not the patch level of the target system; the problem is a false positive from your scanner.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Proposed as answer by Ben Herila [MSFT] Tuesday, November 18, 2014 5:35 PM
    • Marked as answer by SBPrev Tuesday, November 18, 2014 8:49 PM
    Sunday, November 16, 2014 7:09 PM
  • We disputed findings successfully and meet compliance criteria.  Thank you for your thoughtful and informative response which was correct.

    SBPrev

    • Marked as answer by SBPrev Tuesday, November 18, 2014 8:55 PM
    Tuesday, November 18, 2014 8:55 PM