Forum Discussion
Microsoft Issues Out-of-Band Informational Advisory for Zero-
We ran a scan on our systems in September when this happened, and this vulnerability showed (CVE-2021-40444). Coincidentally, at the same time we had submitted the vulnerability scan to a client as proof of us scanning our assets. They recently asked if we've remedied this. Upon digging in, I see the plugin has been deprecated and we no longer see the Internet Explorer OOB vulnerability in the scan results (since beginning of October). I am unsure how to respond to the client on how it was remedied. Because the plugin was deprecated, does that mean there's no longer a threat? I found the link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 and looked at the "Security Updates" table. The servers that were reporting to have this vulnerability already have the patches installed as of Sept 16th 2021: KB5005573 (Win 2016) and KB5005568 (Win 2019). Does this mean Nessus was just late in the game in finding out the severity (if any) of a vulnerability and/or whether or not if you had such and such patch installed, you're OK?
Hi @Dan B,
Thanks for reaching out to us about this. Regarding the deprecated plugin, it was originally released out-of-band after the initial advisory and was designed to check for the presence of the suggested workaround until patches became available. Once the patches became available and our plugins were released, we deprecated the plugin to prevent false positives on systems that already contained the patches but not the workaround. Therefore, as long as the KBs you identified have been installed, those systems are not considered to be vulnerable to CVE-2021-40444. I hope this clarifies the confusion. Please let me know if you have any other questions.
Thanks,
Satnam
