Forum Thread: node.js 9.5.0

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
bestcons node.js 9.5.0
Member 26th Feb, 2018 23:15
Ranking: 6
Posts: 5
User Since: 26th Feb, 2018
System Score: N/A
Location: NL
PSI tells me that I have installed Node.js 4.4.5.0 and advises as safe: 4.8.7. I however installed the latest version 9.5.0, which is confirmed by Revo Uninstaller. This is not recognized by PSI and keeps warning to update all the time.

Maurice Joyce RE: node.js 9.5.0
Handling Contributor 27th Feb, 2018 09:06
Score: 12325
Posts: 9,574
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What file path does PSI give you to the problem?

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1803 Build 17134.471
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
bestcons RE: node.js 9.5.0
Member 27th Feb, 2018 14:16
Score: 6
Posts: 5
User Since: 26th Feb 2018
System Score: N/A
Location: NL
The file path is https://nodejs.org/en/blog/release/v4.8.7/
Was this reply relevant?
+2
-0
Maurice Joyce RE: node.js 9.5.0
Handling Contributor 27th Feb, 2018 15:00
Score: 12325
Posts: 9,574
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You have given the url to Node JS - I asked for the file path that PSI gives you to the problem.

To get that information you need to:

Open PSI>once open select Show Programs.

You will now see a page full of programme icons or a list depending on how you have PSI set up.

Right click on the programme in error>select Show Details - that will open a box showing the path & version number of the offending file.

We need to know all that information shown which will start with C:\Window ..........

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1803 Build 17134.471
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
bestcons RE: node.js 9.5.0
Member 27th Feb, 2018 15:34
Score: 6
Posts: 5
User Since: 26th Feb 2018
System Score: N/A
Location: NL
C:\Windows\Prey\current\bin\node.exe Installed version: 4.4.5.0
Was this reply relevant?
+1
-0
Maurice Joyce RE: node.js 9.5.0
Handling Contributor 27th Feb, 2018 15:57
Score: 12325
Posts: 9,574
User Since: 4th Jan 2009
System Score: N/A
Location: UK
As you can see it is not NODEJS that is the problem but NODEJS embedded in PREY..Installing NodeJS will not clear the vulnerability.

You need to update PREY - https://www.preyproject.com

If there is no update available from the PREY site you need to inform the vendor that Flexera PSI is flagging their programme as vulnerable because of an insecure Node File.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1803 Build 17134.471
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
bestcons RE: node.js 9.5.0
Member 27th Feb, 2018 16:21
Score: 6
Posts: 5
User Since: 26th Feb 2018
System Score: N/A
Location: NL
This seems to me a vulnerability of both Secunia PSI, indicating the wrong program, as from Prey.
Hence I suggest that with your competence, you sort this out with Prey directly, rather than me getting lost in the technical details.
Was this reply relevant?
+2
-0
Maurice Joyce RE: node.js 9.5.0
Handling Contributor 27th Feb, 2018 17:05
Score: 12325
Posts: 9,574
User Since: 4th Jan 2009
System Score: N/A
Location: UK
It has got nothing to do with Flexera PSI. They have correctly indicated to you that you have a vulnerable node file embedded in programme called PREY.

I do not work for or represent Flexera and have no intention of contacting the vendors of Prey on your behalf. You installed and presumably use Prey and it is up to you to sort it out if you want to use it securely.

If you do not use Prey there are other options:

1. Uninstall Prey and Node.

2. Delete the vulnerable file PSI has identified for you - this will cripple Prey but make you secure.

3. Rename the vulnerable file by adding the extension .old - this to will also cripple Prey but is reversible.

You can also create a PSI ignore rule but that is merely hiding a vulnerability unless the vendors of Prey clearly state to you that Flexera have created a false positive.

The above is standard procedure for users who want to stay secure using PSI and requires little expertise now you know that Prey is the offending programme.






--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1803 Build 17134.471
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
bestcons RE: node.js 9.5.0
Member 27th Feb, 2018 17:12
Score: 6
Posts: 5
User Since: 26th Feb 2018
System Score: N/A
Location: NL
Thanks Maurice.
Was this reply relevant?
+1
-0

This thread has been marked as locked.