Karl Fox
2018-03-01 20:35:09 UTC
Hi Jeremy,
As I said in my initial report, if I delete the leftover registry entries,
the problem disappears. The false positive still remains.
Also, I am not the administrator for these machines and do not necessarily
have the right to delete them. When I am operating as an auditor, this
problem makes OpenVAS an unreliable tool. We used to trim out a list of
OpenVAS plugins that generated false positives, but we have changed our
policy and are pursuing actual bug fixes so that OpenVAS improves so as to
become 100% competitive with Nessus, Rapid-7, Qualys, and other
vulnerability scanners.
Karl
As I said in my initial report, if I delete the leftover registry entries,
the problem disappears. The false positive still remains.
Also, I am not the administrator for these machines and do not necessarily
have the right to delete them. When I am operating as an auditor, this
problem makes OpenVAS an unreliable tool. We used to trim out a list of
OpenVAS plugins that generated false positives, but we have changed our
policy and are pursuing actual bug fixes so that OpenVAS improves so as to
become 100% competitive with Nessus, Rapid-7, Qualys, and other
vulnerability scanners.
Karl
Send Openvas-plugins mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvas-plugins digest..."
1. [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version (Karl Fox)
2. Re: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets
wrong Mozilla Firefox version [PUBLIC] (CAMPBELL Jeremy)
---------- Forwarded message ----------
Date: Thu, 01 Mar 2018 18:50:22 +0000
Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl
gets wrong Mozilla Firefox version
Thank you for your response.
Yes, I understand that this issue is triggered because Firefox sloppily
leaves behind a registry entry when it uninstalls or upgrades, but Nessus,
for example, doesn't get tripped up by that, and there are thousands of
machines out there that will have these extraneous entries until the end of
time. Would it be possible to modify gb_firefox_detect_win.nasl to not make
this incorrect assumption? Perhaps check the uninstall hive to see if the
software is still actually installed?
Thanks,
Karl
---------- Forwarded message ---------
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
We have seen many 64-bit machines where OpenVAS throws up to dozens of
Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up
to date. We have tracked this down to what appears to be an incompletely
uninstalled 32-bit version of Firefox where the current 64-bit Firefox is
installed and running.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
(REG_SZ)
OpenVAS reports the value of CurrentVersion as being too old. No other
fields exist under the Wow6432Node\mozilla.org folder.
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla
Firefox\browser\defaults\preferences\disable-autoupdate.js
No other files or folders exist under C:\Program Files (x86)\Mozilla
Firefox
The folder C:\Program Files\Mozilla Firefox exists and contains a complete
and current Firefox installation.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
exists and contains the version number of the current Firefox installation.
If I remove the old registry entry, OpenVAS does not report false
positives. But I continue to run into hundreds of machines with this
problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false
positive.
In the specific case I am using for this report, the uninstalled version
is 44.0.2 and the currently installed version is 56.0.2.
----------------------------------------------------------------------
Hi,
thanks for your report. Please note that this bugtracker is abandoned and
issues related to NVTs are better placed at
https://lists.wald.intevation.org/pipermail/openvas-plugins/
Firefox itself is known to leave traces like this behind causing some
possible false detections. See e.g.
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html
for some background.
For now i'm closing this as the false detection will go away once the
Firefox upgrade routines are correctly doing its job or the targets
registry is cleaned up from such traces.
Suggestions to improve the situation or even patches are still welcome at
the mentioned openvas-plugins mailing list.
----------------------------------------------------------------------
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
---------- Forwarded message ----------
Date: Thu, 1 Mar 2018 20:17:22 +0000
Subject: Re: [Openvas-plugins] [openvas-Bugs][6942]
gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version [PUBLIC]
Karl,
You can create a group policy object in your Windows environment to delete
those keys. That makes the problem go away.
Regards,
Jeremy
This message was classified *PUBLIC *by CAMPBELL Jeremy on Thursday,
March 1, 2018 at 3:17:16 PM.
*Sent:* Thursday, March 1, 2018 1:50 PM
*Subject:* [Openvas-plugins] [openvas-Bugs][6942]
gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Thank you for your response.
Yes, I understand that this issue is triggered because Firefox sloppily
leaves behind a registry entry when it uninstalls or upgrades, but Nessus,
for example, doesn't get tripped up by that, and there are thousands of
machines out there that will have these extraneous entries until the end of
time. Would it be possible to modify gb_firefox_detect_win.nasl to not make
this incorrect assumption? Perhaps check the uninstall hive to see if the
software is still actually installed?
Thanks,
Karl
---------- Forwarded message ---------
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
We have seen many 64-bit machines where OpenVAS throws up to dozens of
Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up
to date. We have tracked this down to what appears to be an incompletely
uninstalled 32-bit version of Firefox where the current 64-bit Firefox is
installed and running.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
(REG_SZ)
OpenVAS reports the value of CurrentVersion as being too old. No other
fields exist under the Wow6432Node\mozilla.org folder.
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla
Firefox\browser\defaults\preferences\disable-autoupdate.js
No other files or folders exist under C:\Program Files (x86)\Mozilla
Firefox
The folder C:\Program Files\Mozilla Firefox exists and contains a complete
and current Firefox installation.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
exists and contains the version number of the current Firefox installation.
If I remove the old registry entry, OpenVAS does not report false
positives. But I continue to run into hundreds of machines with this
problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false
positive.
In the specific case I am using for this report, the uninstalled version
is 44.0.2 and the currently installed version is 56.0.2.
----------------------------------------------------------------------
Hi,
thanks for your report. Please note that this bugtracker is abandoned and
issues related to NVTs are better placed at
https://lists.wald.intevation.org/pipermail/openvas-plugins/
Firefox itself is known to leave traces like this behind causing some
possible false detections. See e.g.
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html
for some background.
For now i'm closing this as the false detection will go away once the
Firefox upgrade routines are correctly doing its job or the targets
registry is cleaned up from such traces.
Suggestions to improve the situation or even patches are still welcome at
the mentioned openvas-plugins mailing list.
----------------------------------------------------------------------
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
------------------------------
This message, including attachments, is intended for the above-mentioned
addressees only. It may contain confidential information the review,
dissemination or disclosure of which is strictly prohibited. Should you
receive this message in error, please delete it and notify the sender to
the e-mail address indicated above.
------------------------------
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvas-plugins digest..."
1. [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version (Karl Fox)
2. Re: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets
wrong Mozilla Firefox version [PUBLIC] (CAMPBELL Jeremy)
---------- Forwarded message ----------
Date: Thu, 01 Mar 2018 18:50:22 +0000
Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl
gets wrong Mozilla Firefox version
Thank you for your response.
Yes, I understand that this issue is triggered because Firefox sloppily
leaves behind a registry entry when it uninstalls or upgrades, but Nessus,
for example, doesn't get tripped up by that, and there are thousands of
machines out there that will have these extraneous entries until the end of
time. Would it be possible to modify gb_firefox_detect_win.nasl to not make
this incorrect assumption? Perhaps check the uninstall hive to see if the
software is still actually installed?
Thanks,
Karl
---------- Forwarded message ---------
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Status: Closed
Priority: 3Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
Resolution: Won't Fix
Hardware: PCWe have seen many 64-bit machines where OpenVAS throws up to dozens of
Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up
to date. We have tracked this down to what appears to be an incompletely
uninstalled 32-bit version of Firefox where the current 64-bit Firefox is
installed and running.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
(REG_SZ)
OpenVAS reports the value of CurrentVersion as being too old. No other
fields exist under the Wow6432Node\mozilla.org folder.
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla
Firefox\browser\defaults\preferences\disable-autoupdate.js
No other files or folders exist under C:\Program Files (x86)\Mozilla
Firefox
The folder C:\Program Files\Mozilla Firefox exists and contains a complete
and current Firefox installation.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
exists and contains the version number of the current Firefox installation.
If I remove the old registry entry, OpenVAS does not report false
positives. But I continue to run into hundreds of machines with this
problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false
positive.
In the specific case I am using for this report, the uninstalled version
is 44.0.2 and the currently installed version is 56.0.2.
----------------------------------------------------------------------
Comment By: Christian Fischer (cfi)
Date: 2018-03-01 18:32Hi,
thanks for your report. Please note that this bugtracker is abandoned and
issues related to NVTs are better placed at
https://lists.wald.intevation.org/pipermail/openvas-plugins/
Firefox itself is known to leave traces like this behind causing some
possible false detections. See e.g.
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html
for some background.
For now i'm closing this as the false detection will go away once the
Firefox upgrade routines are correctly doing its job or the targets
registry is cleaned up from such traces.
Suggestions to improve the situation or even patches are still welcome at
the mentioned openvas-plugins mailing list.
----------------------------------------------------------------------
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
---------- Forwarded message ----------
Date: Thu, 1 Mar 2018 20:17:22 +0000
Subject: Re: [Openvas-plugins] [openvas-Bugs][6942]
gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version [PUBLIC]
Karl,
You can create a group policy object in your Windows environment to delete
those keys. That makes the problem go away.
Regards,
Jeremy
This message was classified *PUBLIC *by CAMPBELL Jeremy on Thursday,
March 1, 2018 at 3:17:16 PM.
*Sent:* Thursday, March 1, 2018 1:50 PM
*Subject:* [Openvas-plugins] [openvas-Bugs][6942]
gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Thank you for your response.
Yes, I understand that this issue is triggered because Firefox sloppily
leaves behind a registry entry when it uninstalls or upgrades, but Nessus,
for example, doesn't get tripped up by that, and there are thousands of
machines out there that will have these extraneous entries until the end of
time. Would it be possible to modify gb_firefox_detect_win.nasl to not make
this incorrect assumption? Perhaps check the uninstall hive to see if the
software is still actually installed?
Thanks,
Karl
---------- Forwarded message ---------
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong
Mozilla Firefox version
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Status: Closed
Priority: 3Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
Resolution: Won't Fix
Hardware: PCWe have seen many 64-bit machines where OpenVAS throws up to dozens of
Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up
to date. We have tracked this down to what appears to be an incompletely
uninstalled 32-bit version of Firefox where the current 64-bit Firefox is
installed and running.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
(REG_SZ)
OpenVAS reports the value of CurrentVersion as being too old. No other
fields exist under the Wow6432Node\mozilla.org folder.
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla
Firefox\browser\defaults\preferences\disable-autoupdate.js
No other files or folders exist under C:\Program Files (x86)\Mozilla
Firefox
The folder C:\Program Files\Mozilla Firefox exists and contains a complete
and current Firefox installation.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
exists and contains the version number of the current Firefox installation.
If I remove the old registry entry, OpenVAS does not report false
positives. But I continue to run into hundreds of machines with this
problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false
positive.
In the specific case I am using for this report, the uninstalled version
is 44.0.2 and the currently installed version is 56.0.2.
----------------------------------------------------------------------
Comment By: Christian Fischer (cfi)
Date: 2018-03-01 18:32Hi,
thanks for your report. Please note that this bugtracker is abandoned and
issues related to NVTs are better placed at
https://lists.wald.intevation.org/pipermail/openvas-plugins/
Firefox itself is known to leave traces like this behind causing some
possible false detections. See e.g.
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html
for some background.
For now i'm closing this as the false detection will go away once the
Firefox upgrade routines are correctly doing its job or the targets
registry is cleaned up from such traces.
Suggestions to improve the situation or even patches are still welcome at
the mentioned openvas-plugins mailing list.
----------------------------------------------------------------------
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
------------------------------
This message, including attachments, is intended for the above-mentioned
addressees only. It may contain confidential information the review,
dissemination or disclosure of which is strictly prohibited. Should you
receive this message in error, please delete it and notify the sender to
the e-mail address indicated above.
------------------------------
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins