Scanning of cumulative vulns/patches

[i0null at googlemail.com (Shane Kelly)]

I would suggest reporting both but under the same finding  - Calling
the finding something like  "Windows missing multiple Patches"
I would detail both issues but caveat the re-mediation section with
something like:

"Whilst the above host appears vulnerable to two seperate  
vulnerablities. It is understood that patch x will fix both of these  
issues"

Sent from my iPhone

On 17 Feb 2010, at 19:17, "Albert R. Campa" <abcampa at gmail.com> wrote:

> What do you guys think of scanning and reporting of cumulative  
> vulnerabilities?
>
> For example. If you have vulnerability A that supercedes vulnerability
> B. Nessus will report both A and B as vulnerable, but for patching
> only Vulnerability A needs to be patched. So why report vulnerability
> B? Should the scanner ingore superceded vulnerabilities? Is the only
> plus to reporting both A and B is to have a history of old
> vulnerabilities not patched?
>
> What about metrics? A and B might be vulnerable but only patch A needs
> to be installed.
>
>
> If an admin gets a vuln report with both A and B, can they easily
> figure out oh, this is cumulative, so I only need to install A, or are
> they going to try to install both.
>
>
> want to get more opinions on this.
>
>
>
> __________________________________
> Albert R. Campa
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com