I queued up an oval scan on my PC and found a bunch of vulnerabilities, I was kind of shocked by the ones that it found because alot of them relate back to Microsoft patches that should have been applied.

I've been searching through the vulnerablities an if I check the items they have a portion of what KACE is checking to determine if the PC in question has the vulnerabilitiy. example below

DataGrid Control Memory Corruption Vulnerability

oval:org.mitre.oval:def:5894 ( ACCEPTED )



The DataGrid ActiveX control in Microsoft Visual Basic 6.0 and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "DataGrid Control Memory Corruption Vulnerability."

.inputFormat li {
list-style-type: disc;
margin-left: -2em;


  • Microsoft Visual Basic 6.0 is installed
  • AND Mscomct2.ocx version is less than

The item above under definition states that "Mscomct2.ocx version is less than" I don't have VB installed and Mscomct2.ocx does not exist on my PC. If both of these cases are not relevant why should Kace report the vulnerability?

How does KACE determine if a vulnerability exists?
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


VB is often part of other programs and most likely exists in some way (E.G. Installing MS Office, Autodesk products, etc. almost always adds this functionality). That might be the case here; it's present even if it isn't explicitly being installed by you. VBscripting support is also part of most operating systems as well, so some portions of the VB environment are always present.

My general recommendation is to take the OVAL results with a grain of salt, so to speak. Meaning that if you find things on the list that don't really concern you or don't cause issues they can possibly be ignored -- or remediated with a patch, managed install of newer software, or a script. I try to read the report on some regular basis and determine what's important or potentially harmful to the organization. You will almost always see known exceptions and other items, the exercise here is mostly to determine what makes sense to your company to address. The definitions are defined by MITRE (http://oval.mitre.org), so they'd have to explain the behavior in more detail I think.
Answered 12/06/2010 by: cblake
Red Belt

Please log in to comment
How does KACE determine if a vulnerability exists?
We're running the oval scan engine which is using this criteria here:
Answered 12/06/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
I understand the criteria of how Oval is evaluating, it appears to be using boolean logic, I'm asking how KACE is interpreting these results

from the Oval description it should be evaluating the following items:
Microsoft Visual Basic 6.0 is installed
AND Mscomct2.ocx version is less than

my evaluation of the criteria by checking the PC
Microsoft Visual Basic 6.0 is installed = Not sure what it is looking for, guessing similar to earlier posting that components are there = True
AND Mscomct2.ocx version is less than = FALSE
Combined statement = FALSE

So If I evaluate those items in a boolean perspective, If I get a False answer and with that the vulnerability should not be applicable.

I am asking how is KACE evaluating these statements because it is returning a True
Answered 12/08/2010 by: ktm_2000
Senior Yellow Belt

Please log in to comment
The scan engine outputs and XML file. Are you saying:
  1. that the results in the XML file are what you expect but the results in the GUI are not? If so then please open a support ticket?
  2. Or are you saying that you believe those to be false and want to know the details?
If it's the latter then please use the link above to find out what is exactly being evaluated. Using the link above i got here: http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/1746/Microsoft-Visual-Basic-6.0-is-installed.html and can see the dll it was checking for.

BTW, the xml can be viewed by running this manually:

ovaldi.exe -m -o windows.definitions.xml

A few xml files are spti out
Answered 12/08/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment