I'm having an issue where Microsoft Baseline Security Analyzer (MBSA) is finding a vulnerability MS09-062 and our McAfee Vulnerability Manager (MVM) tool is finding it as MS09-004 on a particular server.
If you look on Microsoft technet - https://technet.microsoft.com/en-us/library/security/ms09-062.aspx/
You'll see that MS09-062 supercedes MS09-004. Does this mean that MVM shouldn't be reporting on MS09-004 since it's older? Or are we considering these two bulletins as handling two separate vulnerabilities and completely separate in nature? How does this work exactly?
And as a side note - I'm wondering, how does McAfee Vulnerability Manager find vulnerabilities? Does it look for a certain file or DLL? And is there a link that explains how the tool works in terms of vulnerability detection?
(I'm currently running 7.0)
So from my experience MVM often does report on the superseded patches as well though they do have vulnerability sets and filters that somewhat assist in removing them, but i'll leave that part up to the MVM support Staff to speak to.
Note you may also come across the circumstance when MBSA disagrees with mcafee-in these cases you need to look at the FASL output and manually apply the referenced KB.
How MVM works depends on what the vulnerability is-for protocol/service related vulnerabilities, MVM will connect to the port, fingerprint the service and then determine if the version accepting connections is vulnerable.
For vulnerable software, it typically iterates either the version or release level of the software in question and compares to a list of known vulnerable versions-OS checks also work similarly.