Showing results for 
Search instead for 
Did you mean: 

How are you handling unpatched vulnerabilities?

I am curious how the community handles vulnerabilities found during a scan that are not currently patched?

A side question: If you just accept the vulnerability finding as mitigated or accepted, how do you handle the recurring hit on every report? Do you turn off that scan item, or just keep those hits in the scan report? What if my boss wants a clean report?

I use version 6.7 I've found when I scan a Windows server, I often will see some medium and even an occasional high alert for unpatched issues, some of which are persisting for quite some time. An example would be 6545: Microsoft Windows GDI+ EMF Stack Overflow Vulnerability.

4 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: How are you handling unpatched vulnerabilities?

I can't speak for the community but as a security professional I wouldn't manipulate what's reported just because there isn't a patch available. That can lead to a false sense of security that doesn't really reflect the reality of your enterprise. If your boss wants a clean report, pressure should be put on the vender to fix the vulnerability or the offending software should be removed.

Jeff Haynes


Re: How are you handling unpatched vulnerabilities?

Yeah, I definitely don't want to really disable an alert. From an auditor's perspective, how would he know I just don't turn off checks for things I don't want to fix?

Unfortunately, some vulns, especially some of those Windows OS ones are just not going to be patched, or at least Microsoft has said as much. Of course, that then begs the question on how anyone can pass a Foundstone scan with Windows?

Level 9
Report Inappropriate Content
Message 4 of 5

Re: How are you handling unpatched vulnerabilities?

Hi Michael,

I support Jeffrey perspective.

If you have a vuln that cannot be patched, you should accept the risk, so it must be reflected in the Foundscore.

You could disable that particular vuln check in you scan, by editing the vuln list, but again, that would only deliver a false sense of security.

Regarding your boss requiring a clean report, I remember reading somewhere that Vuln. Management "is 75 percent science and planning and 25 percent the art of persuasion and motivation.". Reading a clean report is easy, changing people perspective is hard.



Message was edited by: epo909 on 11/24/09 3:56 AM

Re: How are you handling unpatched vulnerabilities?


I concur with the others as well, a false sence of security is misleading. You are still vulnerable and management needs to know that. I do clean the reports to send to management but the only thing I remove is the "Informational" part and leave the "High", "Medium" and "Low". My reports are created using Excel, Access and connection to the SQL database.


Rene Pariseau

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community