I have a number of Windows 2003 R2 servers which are patched using WSUS. I am evaluating network security scanners and am currently testing a device from nCircle. The problem I am having is that
the reports of the scanner are at odds with the reports of WSUS and the Windows update site. I'm not sure how to interpret what I am seeing and hoped someone here might have some insight into what is going on.
A good example of what I am talking about is a reported vulnerability involving the lack of the KB953155 Patch. It is also listed as MS08-062 and deals with Internet printing Integer Overflow Vulnerability.
I saw the vulnerability reported and talked to the person responsible for running WSUS. He checked and WSUS had the patch in inventory and when he checked the report on the server in question it said it's patch levels were up to date and that the
KB was "not applicable". Since we had encountered a problem and had to completely rebuild our WSUS and looking at the age of the patch, we took this as having been installed by the old WSUS. I was a bit confused so I thought I may as well go to the source
and browsed to windowsupdate.microsoft.com from the server in question. This patch was not listed in the needed items.
At that point I returned to the report that I got from the nCircle product and drilled down in the vulnerability it listed. It explained that the test for this is the lack of a registry key
(HKLM\Software\Microsoft\Updates\Windows Server 2003\sp3\KB953155). I went into regedit and manually checked for the existence of this key and it was indeed missing. I then went to the Microsoft site and manually downloaded and applied the MS08-062 patch to
the server. I then went back to regedit and checked and this time the necessary key was present. I ran the scan again and the vulnerability was no longer listed.
At this point I'm lost. I'm curious about how WSUS and the Microsoft site checks for the existence of a patch on a server. I'm also wondering how the patch could have been
installed by either without the associated registry update.
Any guidance greatly appreciated