Discussion:
[openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
(too old to reply)
Karl Fox
2018-03-01 18:50:22 UTC
Permalink
Thank you for your response.

Yes, I understand that this issue is triggered because Firefox sloppily
leaves behind a registry entry when it uninstalls or upgrades, but Nessus,
for example, doesn't get tripped up by that, and there are thousands of
machines out there that will have these extraneous entries until the end of
time. Would it be possible to modify gb_firefox_detect_win.nasl to not make
this incorrect assumption? Perhaps check the uninstall hive to see if the
software is still actually installed?

Thanks,

Karl

---------- Forwarded message ---------
From: <***@wald.intevation.org>
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla
Firefox version
To: <***@wald.intevation.org>


Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Status: Closed
Priority: 3
Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
Resolution: Won't Fix
Hardware: PC
URL:


Initial Comment:
We have seen many 64-bit machines where OpenVAS throws up to dozens of
Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up
to date. We have tracked this down to what appears to be an incompletely
uninstalled 32-bit version of Firefox where the current 64-bit Firefox is
installed and running.

The following registry values remain:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
(REG_SZ)

OpenVAS reports the value of CurrentVersion as being too old. No other
fields exist under the Wow6432Node\mozilla.org folder.

The following filesystem items remain:

C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla
Firefox\browser\defaults\preferences\disable-autoupdate.js

No other files or folders exist under C:\Program Files (x86)\Mozilla Firefox

The folder C:\Program Files\Mozilla Firefox exists and contains a complete
and current Firefox installation.

The registry value
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
exists and contains the version number of the current Firefox installation.

If I remove the old registry entry, OpenVAS does not report false
positives. But I continue to run into hundreds of machines with this
problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false
positive.

In the specific case I am using for this report, the uninstalled version is
44.0.2 and the currently installed version is 56.0.2.

----------------------------------------------------------------------
Comment By: Christian Fischer (cfi)
Date: 2018-03-01 18:32

Message:
Hi,

thanks for your report. Please note that this bugtracker is abandoned and
issues related to NVTs are better placed at
https://lists.wald.intevation.org/pipermail/openvas-plugins/

Firefox itself is known to leave traces like this behind causing some
possible false detections. See e.g.
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html
for some background.

For now i'm closing this as the false detection will go away once the
Firefox upgrade routines are correctly doing its job or the targets
registry is cleaned up from such traces.

Suggestions to improve the situation or even patches are still welcome at
the mentioned openvas-plugins mailing list.

----------------------------------------------------------------------

You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Loading...