[oval] OVAL IE queries - MS02-068 update

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[oval] OVAL IE queries - MS02-068 update

Matthew N. Wojcik
The following OVAL queries will be updated to reflect the cumulative patch from Microsoft Security Bulletin MS02-068 for Internet Explorer:
OVAL12
OVAL17
OVAL19
OVAL32
OVAL40
OVAL96
OVAL98
OVAL99
OVAL128
OVAL171

These queries will remain in Interim status.

The queries will include the following:

Cumulative Patch for Internet Explorer (324929)
(uses new INSERT IDs INSERT172 for Windows NT 4.0 and INSERT132 for 2000 )

For Windows 2000:

AND NOT EXISTS
-- Patch Q324929.exe (cumulative patch from MS02-068) installed
 (SELECT 'Patch Q324929 Installed' FROM WinNT_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')

For Windows NT 4.0:

AND NOT EXISTS
-- Patch Q324929.exe (cumulative patch from MS02-068) installed
 (SELECT 'Patch Q324929 Installed' FROM WinNT_RegistryKeys WHERE
RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')
 

Example of updated query:
OVAL-ID:  OVAL19

CVE-ID: CAN-2002-0189
CVE Description: "Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute
scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site
Scripting in Local HTML Resource" vulnerability."

Status: INTERIM
Date Modified: 2002-12-18
Platform: Windows 2000

Query Synopsis:
-- Vulnerable software exists
   o Internet Explorer 6.0
   o Affected mshtml.dll versions
   o Patch Q321232.exe not installed
   o Patch Q323759.exe not installed
   o Patch Q328970.exe not installed
   o Patch Q324929.exe not installed

SELECT 'CAN-2002-0189' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Internet Explorer 6.0
 (SELECT 'Internet Explorer 6.0 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer' AND
      EntryName = 'Version' AND
      EntryValue = '6.0.2600.0000')
AND EXISTS
-- Affected mshtml.dll versions
     -- Build the FilePath for mshtml.dll by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\mshtml.dll' (using || concat. operator):
 (SELECT 'File %windir%\System32\mshtml.dll version < 6.0.2716.2200' FROM Win2K_FileAttributes WHERE
      FilePath = (SELECT EntryValue || '\System32\mshtml.dll' FROM Win2K_RegistryKeys WHERE
        RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND
         EntryName = 'SystemRoot') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '6.0.2716.2200') is broken into its
     --   components, stored as numbers.
         (Version1 < 6 OR
         (Version1 = 6 AND Version2 = 0 AND
         (Version3 < 2716 OR
         (Version3 = 2716 AND Version4 < 2200)))))
AND NOT EXISTS
-- Patch Q321232.exe installed
 (SELECT 'Patch Q321232 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{D7B44F3E-77D3-44C5-8E03-4222D9A18B7B}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q323759.exe (cumulative patch from MS02-047) installed
 (SELECT 'Patch Q323759 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{61E6EAE5-7821-4AC1-9BBD-AED032A8E273}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q328970.exe (cumulative patch from MS02-066) installed
 (SELECT 'Patch Q328970 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q324929.exe (cumulative patch from MS02-068) installed
 (SELECT 'Patch Q324929 Installed' FROM WinNT_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}' AND
      EntryName = 'IsInstalled' AND
      EntryValue = '1')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION
;
 
 

Loading...