Making Security Measurable › OVAL › OVAL Repository Forum

Re: Behavior of nonexistent objects definition 538 bug?

5 messages

Lah, Mike M.

Re: Behavior of nonexistent objects definition 538 bug?

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Brian,

Thank you for your comments. I have moved the thread to the OVAL Discussion List, where you should direct future content questions; the OVAL Developer List is intended for questions about the language.

I have attached a file with your proposed change. The change is in oval:org.mitre.oval:obj:17 (line 199), changing the file_object to pattern match the filename Flash9[a-z]?\.ocx

Please let me know if there are any issues with this proposed change.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

From: Stull, Brian [mailto:[hidden email]]
Sent: Thursday, November 05, 2009 12:47 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Behavior of non existent objects definition 538 bug?

Edit: [a-z]? instead of [a-z]

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

What is the behavior of a test and the definition the test is running in if a certain object doesn’t exist, and the object must exist in order for the check to happen? Maybe this is a bug with this particular definition or I am missing something.

On my system definition (XP) 538 evaluates to say vulnerable, which I do not believe is the case. Flash9.ocx doesn’t exist anymore, and is replaced by Flash9c.ocx. Because Flash9.ocx doesn’t exist on my system, the test evaluates to 0, but gets negated to be 1 which then makes the definition think that my machine is vulnerable. My Flash9c.ocx version is 9.0.45.0 which is well over 9.0.16.0. Maybe this check should be modified to check for Objects Flash9[a-z].ocx instead of just Flash9.ocx.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<generator>
<oval:product_name>The OVAL Repository</oval:product_name>
<oval:schema_version>5.6</oval:schema_version>
<oval:timestamp>2009-11-05T16:12:11.923-05:00</oval:timestamp>
</generator>
<definitions>
<definition id="oval:org.mitre.oval:def:538" class="vulnerability" version="1">
<metadata>
<title>Excel-Flash Arbitrary Code Execution Vulnerability</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
<product>Flash Player</product>
</affected>
<reference source="CVE" ref_id="CVE-2006-3014" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3014"/>
<description>Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet.</description>
<oval_repository>
<dates>
<submitted date="2006-11-15T12:28:05">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-11-17T12:55:00.000-04:00">DRAFT</status_change>
<status_change date="2007-01-03T13:53:59.493-05:00">INTERIM</status_change>
<status_change date="2007-02-20T13:40:45.291-05:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<criteria comment="WinXP,SP2 or WinXP,SP1 (64-bit)" operator="OR">
<extend_definition comment="Windows XP, SP2 is installed" definition_ref="oval:org.mitre.oval:def:521"/>
<extend_definition comment="Windows XP, SP1 (64-bit) is installed" definition_ref="oval:org.mitre.oval:def:480"/>
</criteria>
<criteria comment="Flash.ocx exists without upgrades to Flash8 or Flash9" operator="AND">
<criterion comment="Flash.ocx exists" test_ref="oval:org.mitre.oval:tst:79"/>
<criterion comment="Flash8.ocx (minimum version 8.0.22.0) is not installed" test_ref="oval:org.mitre.oval:tst:83" negate="true"/>
<criterion comment="Flash9.ocx (minimum version 9.0.16.0) is not installed" test_ref="oval:org.mitre.oval:tst:85" negate="true"/>
</criteria>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:521" version="4" class="inventory">
<metadata>
<title>Microsoft Windows XP SP2 is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp2"/>
<description>The operating system installed on the system is Microsoft Windows XP SP2.</description>
<oval_repository>
<dates>
<submitted date="2006-07-25T12:05:33">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change>
<status_change date="2006-09-27T12:29:29.930-04:00">INTERIM</status_change>
<status_change date="2006-10-16T15:58:43.496-04:00">ACCEPTED</status_change>
<modified comment="Added CPE reference." date="2007-04-30T07:48:00.073-04:00">
<contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
</modified>
<status_change date="2007-04-30T08:00:54.097-04:00">INTERIM</status_change>
<status_change date="2007-05-23T15:05:48.210-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.488-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:40.511-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:20.931-04:00">ACCEPTED</status_change>
<modified comment="Removed Microsoft reference" date="2009-06-01T16:05:28.035-04:00">
<contributor organization="The MITRE Corporation">Brendan Miles</contributor>
</modified>
<status_change date="2009-06-08T04:00:40.693-04:00">INTERIM</status_change>
<status_change date="2009-06-29T04:00:25.177-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/>
<criterion comment="Win2K/XP/2003 service pack 2 (or later) is installed" test_ref="oval:org.mitre.oval:tst:2837"/>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:480" version="2" class="inventory">
<metadata>
<title>Microsoft Windows XP SP1 (64-bit) is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp1:64bit"/>
<description>The operating system installed on the system is Microsoft Windows XP SP1 (64-bit).</description>
<oval_repository>
<dates>
<submitted date="2006-07-25T12:05:33">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change>
<status_change date="2006-09-27T12:29:28.342-04:00">INTERIM</status_change>
<status_change date="2006-10-16T15:58:42.090-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.311-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:13.333-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:19.883-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/>
<criterion comment="a version of Windows for the ia64 architecture is installed" test_ref="oval:org.mitre.oval:tst:2747"/>
<criterion comment="Win2K/XP/2003/Vista service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:105" version="3" class="inventory">
<metadata>
<title>Microsoft Windows XP is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp"/>
<description>The operating system installed on the system is Microsoft Windows XP.</description>
<oval_repository>
<dates>
<submitted date="2006-06-26T12:55:00.000-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</submitted>
<status_change date="2006-06-26T12:55:00.000-04:00">ACCEPTED</status_change>
<modified comment="Added CPE reference." date="2007-04-30T07:48:00.244-04:00">
<contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
</modified>
<status_change date="2007-04-30T08:01:55.267-04:00">INTERIM</status_change>
<status_change date="2007-05-23T15:05:25.969-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.073-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:52.098-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:10.499-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
<criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org.mitre.oval:tst:3"/>
</criteria>
</definition>
</definitions>
<tests>
<registry_test id="oval:org.mitre.oval:tst:2837" version="1" comment="Win2K/XP/2003 service pack 2 (or later) is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:717"/>
<state state_ref="oval:org.mitre.oval:ste:2656"/>
</registry_test>
<family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<object object_ref="oval:org.mitre.oval:obj:99"/>
<state state_ref="oval:org.mitre.oval:ste:99"/>
</family_test>
<registry_test id="oval:org.mitre.oval:tst:3" version="1" comment="a version of Microsoft Windows XP is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:123"/>
<state state_ref="oval:org.mitre.oval:ste:3"/>
</registry_test>
<registry_test id="oval:org.mitre.oval:tst:2843" version="1" comment="Win2K/XP/2003/Vista service pack 1 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:717"/>
<state state_ref="oval:org.mitre.oval:ste:2662"/>
</registry_test>
<registry_test id="oval:org.mitre.oval:tst:2747" version="1" comment="a version of Windows for the ia64 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:1576"/>
<state state_ref="oval:org.mitre.oval:ste:2568"/>
</registry_test>
<file_test id="oval:org.mitre.oval:tst:85" version="1" check="at least one" comment="the version of Flash9.ocx is greater than or equal 9.0.16.0" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:17"/>
<state state_ref="oval:org.mitre.oval:ste:61"/>
</file_test>
<file_test id="oval:org.mitre.oval:tst:83" version="1" check="at least one" comment="the version of Flash8.ocx is greater than or equal 8.0.22.0" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:80"/>
<state state_ref="oval:org.mitre.oval:ste:59"/>
</file_test>
<file_test id="oval:org.mitre.oval:tst:79" version="1" check="at least one" comment="Flash.ocx exists" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:648"/>
</file_test>
</tests>
<objects>
<family_object id="oval:org.mitre.oval:obj:99" version="1" comment="This is the default family object. Only one family object should exist." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
<registry_object id="oval:org.mitre.oval:obj:123" version="1" comment="Registry key that hold the current windows os version" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CurrentVersion</name>
</registry_object>
<registry_object id="oval:org.mitre.oval:obj:717" version="1" comment="This registry key holds the service pack installed on the host if one is present." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CSDVersion</name>
</registry_object>
<registry_object id="oval:org.mitre.oval:obj:1576" version="1" comment="This registry key identifies the architecture on the system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key>
<name>PROCESSOR_ARCHITECTURE</name>
</registry_object>
<file_object id="oval:org.mitre.oval:obj:17" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename operation="pattern match">Flash9[a-z]?.ocx</filename>
</file_object>
<file_object id="oval:org.mitre.oval:obj:80" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename>Flash8.ocx</filename>
</file_object>
<file_object id="oval:org.mitre.oval:obj:648" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename>Flash.ocx</filename>
</file_object>
<registry_object id="oval:org.mitre.oval:obj:219" version="1" comment="This registry key identifies the system root." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>SystemRoot</name>
</registry_object>
</objects>
<states>
<registry_state id="oval:org.mitre.oval:ste:2656" version="1" comment="Regex that matches Service Pack 2 or later" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value operation="pattern match">^Service Pack [2-9]|\d{2,}$</value>
</registry_state>
<family_state id="oval:org.mitre.oval:ste:99" version="1" comment="Microsoft Windows family" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<family>windows</family>
</family_state>
<registry_state id="oval:org.mitre.oval:ste:3" version="1" comment="The registry key has a value of 5.1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>5.1</value>
</registry_state>
<registry_state id="oval:org.mitre.oval:ste:2662" version="1" comment="The registry key has a value of Service Pack 1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>Service Pack 1</value>
</registry_state>
<registry_state id="oval:org.mitre.oval:ste:2568" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>ia64</value>
</registry_state>
<file_state id="oval:org.mitre.oval:ste:61" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<version datatype="version" operation="greater than or equal">9.0.16.0</version>
</file_state>
<file_state id="oval:org.mitre.oval:ste:59" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<version datatype="version" operation="greater than or equal">8.0.22.0</version>
</file_state>
</states>
<variables>
<local_variable id="oval:org.mitre.oval:var:224" version="1" comment="Macromedia Flash subdirectory of Windows system 32 directory" datatype="string">
<concat>
<object_component item_field="value" object_ref="oval:org.mitre.oval:obj:219"/>
<literal_component>\system32\Macromed\Flash</literal_component>
</concat>
</local_variable>
</variables>
</oval_definitions>

Lah, Mike M.

Re: Behavior of nonexistent objects definition 538 bug?

Reply Threaded

Some javascript/style in this post has been disabled (why?)

I’m sorry, I did not save the file before attaching it. This file has the complete change for oval:org.mitre.oval:obj:17 (line 199). The previous file was missing an escape character.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

From: Lah, Mike M. [mailto:[hidden email]]
Sent: Thursday, November 05, 2009 4:34 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Behavior of nonexistent objects definition 538 bug?

Brian,

I have attached a file with your proposed change. The change is in oval:org.mitre.oval:obj:17 (line 199), changing the file_object to pattern match the filename Flash9[a-z]?\.ocx

Please let me know if there are any issues with this proposed change.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Edit: [a-z]? instead of [a-z]

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<generator>
<oval:product_name>The OVAL Repository</oval:product_name>
<oval:schema_version>5.6</oval:schema_version>
<oval:timestamp>2009-11-05T16:12:11.923-05:00</oval:timestamp>
</generator>
<definitions>
<definition id="oval:org.mitre.oval:def:538" class="vulnerability" version="1">
<metadata>
<title>Excel-Flash Arbitrary Code Execution Vulnerability</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
<product>Flash Player</product>
</affected>
<reference source="CVE" ref_id="CVE-2006-3014" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3014"/>
<description>Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet.</description>
<oval_repository>
<dates>
<submitted date="2006-11-15T12:28:05">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-11-17T12:55:00.000-04:00">DRAFT</status_change>
<status_change date="2007-01-03T13:53:59.493-05:00">INTERIM</status_change>
<status_change date="2007-02-20T13:40:45.291-05:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<criteria comment="WinXP,SP2 or WinXP,SP1 (64-bit)" operator="OR">
<extend_definition comment="Windows XP, SP2 is installed" definition_ref="oval:org.mitre.oval:def:521"/>
<extend_definition comment="Windows XP, SP1 (64-bit) is installed" definition_ref="oval:org.mitre.oval:def:480"/>
</criteria>
<criteria comment="Flash.ocx exists without upgrades to Flash8 or Flash9" operator="AND">
<criterion comment="Flash.ocx exists" test_ref="oval:org.mitre.oval:tst:79"/>
<criterion comment="Flash8.ocx (minimum version 8.0.22.0) is not installed" test_ref="oval:org.mitre.oval:tst:83" negate="true"/>
<criterion comment="Flash9.ocx (minimum version 9.0.16.0) is not installed" test_ref="oval:org.mitre.oval:tst:85" negate="true"/>
</criteria>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:521" version="4" class="inventory">
<metadata>
<title>Microsoft Windows XP SP2 is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp2"/>
<description>The operating system installed on the system is Microsoft Windows XP SP2.</description>
<oval_repository>
<dates>
<submitted date="2006-07-25T12:05:33">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change>
<status_change date="2006-09-27T12:29:29.930-04:00">INTERIM</status_change>
<status_change date="2006-10-16T15:58:43.496-04:00">ACCEPTED</status_change>
<modified comment="Added CPE reference." date="2007-04-30T07:48:00.073-04:00">
<contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
</modified>
<status_change date="2007-04-30T08:00:54.097-04:00">INTERIM</status_change>
<status_change date="2007-05-23T15:05:48.210-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.488-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:40.511-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:20.931-04:00">ACCEPTED</status_change>
<modified comment="Removed Microsoft reference" date="2009-06-01T16:05:28.035-04:00">
<contributor organization="The MITRE Corporation">Brendan Miles</contributor>
</modified>
<status_change date="2009-06-08T04:00:40.693-04:00">INTERIM</status_change>
<status_change date="2009-06-29T04:00:25.177-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/>
<criterion comment="Win2K/XP/2003 service pack 2 (or later) is installed" test_ref="oval:org.mitre.oval:tst:2837"/>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:480" version="2" class="inventory">
<metadata>
<title>Microsoft Windows XP SP1 (64-bit) is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp::sp1:64bit"/>
<description>The operating system installed on the system is Microsoft Windows XP SP1 (64-bit).</description>
<oval_repository>
<dates>
<submitted date="2006-07-25T12:05:33">
<contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
</submitted>
<status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change>
<status_change date="2006-09-27T12:29:28.342-04:00">INTERIM</status_change>
<status_change date="2006-10-16T15:58:42.090-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.311-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:13.333-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:19.883-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/>
<criterion comment="a version of Windows for the ia64 architecture is installed" test_ref="oval:org.mitre.oval:tst:2747"/>
<criterion comment="Win2K/XP/2003/Vista service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/>
</criteria>
</definition>
<definition id="oval:org.mitre.oval:def:105" version="3" class="inventory">
<metadata>
<title>Microsoft Windows XP is installed</title>
<affected family="windows">
<platform>Microsoft Windows XP</platform>
</affected>
<reference source="CPE" ref_id="cpe:/o:microsoft:windows_xp"/>
<description>The operating system installed on the system is Microsoft Windows XP.</description>
<oval_repository>
<dates>
<submitted date="2006-06-26T12:55:00.000-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</submitted>
<status_change date="2006-06-26T12:55:00.000-04:00">ACCEPTED</status_change>
<modified comment="Added CPE reference." date="2007-04-30T07:48:00.244-04:00">
<contributor organization="The MITRE Corporation">Jonathan Baker</contributor>
</modified>
<status_change date="2007-04-30T08:01:55.267-04:00">INTERIM</status_change>
<status_change date="2007-05-23T15:05:25.969-04:00">ACCEPTED</status_change>
<modified comment="Changed the CPE reference" date="2008-04-04T11:17:00.073-04:00">
<contributor organization="The MITRE Corporation">Andrew Buttner</contributor>
</modified>
<status_change date="2008-04-04T11:27:52.098-04:00">INTERIM</status_change>
<status_change date="2008-04-21T04:00:10.499-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria operator="AND">
<criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/>
<criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org.mitre.oval:tst:3"/>
</criteria>
</definition>
</definitions>
<tests>
<registry_test id="oval:org.mitre.oval:tst:2837" version="1" comment="Win2K/XP/2003 service pack 2 (or later) is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:717"/>
<state state_ref="oval:org.mitre.oval:ste:2656"/>
</registry_test>
<family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<object object_ref="oval:org.mitre.oval:obj:99"/>
<state state_ref="oval:org.mitre.oval:ste:99"/>
</family_test>
<registry_test id="oval:org.mitre.oval:tst:3" version="1" comment="a version of Microsoft Windows XP is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:123"/>
<state state_ref="oval:org.mitre.oval:ste:3"/>
</registry_test>
<registry_test id="oval:org.mitre.oval:tst:2843" version="1" comment="Win2K/XP/2003/Vista service pack 1 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:717"/>
<state state_ref="oval:org.mitre.oval:ste:2662"/>
</registry_test>
<registry_test id="oval:org.mitre.oval:tst:2747" version="1" comment="a version of Windows for the ia64 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:1576"/>
<state state_ref="oval:org.mitre.oval:ste:2568"/>
</registry_test>
<file_test id="oval:org.mitre.oval:tst:85" version="1" check="at least one" comment="the version of Flash9.ocx is greater than or equal 9.0.16.0" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:17"/>
<state state_ref="oval:org.mitre.oval:ste:61"/>
</file_test>
<file_test id="oval:org.mitre.oval:tst:83" version="1" check="at least one" comment="the version of Flash8.ocx is greater than or equal 8.0.22.0" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:80"/>
<state state_ref="oval:org.mitre.oval:ste:59"/>
</file_test>
<file_test id="oval:org.mitre.oval:tst:79" version="1" check="at least one" comment="Flash.ocx exists" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<object object_ref="oval:org.mitre.oval:obj:648"/>
</file_test>
</tests>
<objects>
<family_object id="oval:org.mitre.oval:obj:99" version="1" comment="This is the default family object. Only one family object should exist." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
<registry_object id="oval:org.mitre.oval:obj:123" version="1" comment="Registry key that hold the current windows os version" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CurrentVersion</name>
</registry_object>
<registry_object id="oval:org.mitre.oval:obj:717" version="1" comment="This registry key holds the service pack installed on the host if one is present." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>CSDVersion</name>
</registry_object>
<registry_object id="oval:org.mitre.oval:obj:1576" version="1" comment="This registry key identifies the architecture on the system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key>
<name>PROCESSOR_ARCHITECTURE</name>
</registry_object>
<file_object id="oval:org.mitre.oval:obj:17" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename operation="pattern match">Flash9[a-z]?\.ocx</filename>
</file_object>
<file_object id="oval:org.mitre.oval:obj:80" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename>Flash8.ocx</filename>
</file_object>
<file_object id="oval:org.mitre.oval:obj:648" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<path var_ref="oval:org.mitre.oval:var:224" var_check="all"/>
<filename>Flash.ocx</filename>
</file_object>
<registry_object id="oval:org.mitre.oval:obj:219" version="1" comment="This registry key identifies the system root." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
<name>SystemRoot</name>
</registry_object>
</objects>
<states>
<registry_state id="oval:org.mitre.oval:ste:2656" version="1" comment="Regex that matches Service Pack 2 or later" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value operation="pattern match">^Service Pack [2-9]|\d{2,}$</value>
</registry_state>
<family_state id="oval:org.mitre.oval:ste:99" version="1" comment="Microsoft Windows family" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<family>windows</family>
</family_state>
<registry_state id="oval:org.mitre.oval:ste:3" version="1" comment="The registry key has a value of 5.1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>5.1</value>
</registry_state>
<registry_state id="oval:org.mitre.oval:ste:2662" version="1" comment="The registry key has a value of Service Pack 1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>Service Pack 1</value>
</registry_state>
<registry_state id="oval:org.mitre.oval:ste:2568" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<value>ia64</value>
</registry_state>
<file_state id="oval:org.mitre.oval:ste:61" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<version datatype="version" operation="greater than or equal">9.0.16.0</version>
</file_state>
<file_state id="oval:org.mitre.oval:ste:59" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
<version datatype="version" operation="greater than or equal">8.0.22.0</version>
</file_state>
</states>
<variables>
<local_variable id="oval:org.mitre.oval:var:224" version="1" comment="Macromedia Flash subdirectory of Windows system 32 directory" datatype="string">
<concat>
<object_component item_field="value" object_ref="oval:org.mitre.oval:obj:219"/>
<literal_component>\system32\Macromed\Flash</literal_component>
</concat>
</local_variable>
</variables>
</oval_definitions>

Lah, Mike M.

Re: Behavior of nonexistent objects definition 538 bug?

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Brian,

Thank you for the correction to def:538. The OVAL Repository has been updated and the correction is available for further community review.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

From: Lah, Mike M. [mailto:[hidden email]]
Sent: Thursday, November 05, 2009 4:39 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Behavior of nonexistent objects definition 538 bug?

I’m sorry, I did not save the file before attaching it. This file has the complete change for oval:org.mitre.oval:obj:17 (line 199). The previous file was missing an escape character.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Brian,

I have attached a file with your proposed change. The change is in oval:org.mitre.oval:obj:17 (line 199), changing the file_object to pattern match the filename Flash9[a-z]?\.ocx

Please let me know if there are any issues with this proposed change.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Edit: [a-z]? instead of [a-z]

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Dragos Prisaca-2

Re: Behavior of nonexistent objects definition 538 bug?

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Hi Mike,

I’ve seen you updated the definition 538 and obj:17. Any idea why the version element was not updated (it still shows version 1)?

Thanks,

_Dragos.

From: Lah, Mike M. [mailto:[hidden email]]
Sent: Thursday, November 12, 2009 3:54 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Behavior of nonexistent objects definition 538 bug?

Brian,

Thank you for the correction to def:538. The OVAL Repository has been updated and the correction is available for further community review.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

I’m sorry, I did not save the file before attaching it. This file has the complete change for oval:org.mitre.oval:obj:17 (line 199). The previous file was missing an escape character.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Brian,

I have attached a file with your proposed change. The change is in oval:org.mitre.oval:obj:17 (line 199), changing the file_object to pattern match the filename Flash9[a-z]?\.ocx

Please let me know if there are any issues with this proposed change.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Edit: [a-z]? instead of [a-z]

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Lah, Mike M.

Re: Behavior of nonexistent objects definition 538 bug?

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Dragos,

Thank you for pointing this out, it was my mistake. I have corrected the version numbers and updated the repository.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

From: Dragos Prisaca [mailto:[hidden email]]
Sent: Friday, November 13, 2009 5:01 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Behavior of nonexistent objects definition 538 bug?

Hi Mike,

I’ve seen you updated the definition 538 and obj:17. Any idea why the version element was not updated (it still shows version 1)?

Thanks,

_Dragos.

Brian,

Thank you for the correction to def:538. The OVAL Repository has been updated and the correction is available for further community review.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

I’m sorry, I did not save the file before attaching it. This file has the complete change for oval:org.mitre.oval:obj:17 (line 199). The previous file was missing an escape character.

Thanks,

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Brian,

I have attached a file with your proposed change. The change is in oval:org.mitre.oval:obj:17 (line 199), changing the file_object to pattern match the filename Flash9[a-z]?\.ocx

Please let me know if there are any issues with this proposed change.

Thanks!

Mike

====================================================

Mike Lah

G022 - Information Assurance Industry Collaboration

The MITRE Corporation

[hidden email]

Edit: [a-z]? instead of [a-z]

From: Stull, Brian
Sent: Thursday, November 05, 2009 12:44 PM
To: 'OVAL Developer List (Closed Public Discussion)'
Subject: Behavior of non existent objects definition 538 bug?

I’ve noticed something with oval definition 538.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].