Why does VulnDetect recommend older versions


  • Community Moderator

    In VulnDetect I get for some applications recommendations for older versions.
    Examples:

    • Application: TeamSpeak 3 Client
      Installed Version: 3.2.3
      Recommended: 3.2.2

    • Application: Vortex
      Installed Version: 0.16.10
      Recommended: 0.16.8

    • Application: Elite Dangerous
      Installed Version: 3.2.1.300
      Recommended: 3.3.0.100

    Why does VulnDetect suggest here an older version?
    Normally these recommendations means to see here a newer version, like

    • Application: Notepad++
      Installed Version: 7.5.8
      Recommended: 7.5.9

    But here (on Notepad++) the status "OK" is also not correct.
    Here it should be "Outdated" or "Update available".
    I know we have a separate suggestion for this: https://vulndetect.org/topic/151/new-status-outdated-for-non-security-updates

    This is really very confusing...


  • Community Moderator

    @OLLI_S Because only two users run Ahnenblatt, so we don't see it that fast.

    I have it on my PC and also the current Beta in my VM.
    So maybe I am the "two users"...

    And the English Ahnenblatt website is always after the German. So even on they day where we did add "recommended" for 2.99h, the English website still recommended 2.99g.

    You are right, this is a mess...

    Changing the recommended version is always something that requires manual work on our side, so just because someone installs a newer version, we will continue to recommend the "old" version until we confirm that the new version is official and recommended by the vendor.

    I know that this is a manual action.
    But now I understand why you recommend the older version (because of the version on the English website).


  • VulnDetect Team Member

    @OLLI_S Because only two users run Ahnenblatt, so we don't see it that fast.
    And the English Ahnenblatt website is always after the German. So even on they day where we did add "recommended" for 2.99h, the English website still recommended 2.99g.

    Changing the recommended version is always something that requires manual work on our side, so just because someone installs a newer version, we will continue to recommend the "old" version until we confirm that the new version is official and recommended by the vendor.


  • Community Moderator

    Today I installed the version 2.99h of Ahnenblatt.
    But VulnDetect recommends 2.99g (an older version).


  • Community Moderator

    @Tom Today VulnDetect recommended version 0.10.11.0 although I have version 1.0.0.0 installed.

    VulnDetect_1.0.0.0_Update_Available.png

    I wonder what happens when I click on the Update button? 😕

    I know that this is just because you did not make 1.0.0.0 official or something like that.
    But for users this is very very confusing (especially when have not expanded the entry, then click on the Update button and get an older version installed.

    By the way: in my VM I have the same problem!
    So this seems to be a global issue!


  • Community Moderator

    OK, thank you!


  • VulnDetect Team Member

    @OLLI_S Yes, we will work on improving the suggestions within the right channels.
    I will test the VirtualBox rules over the coming days, since both 5.2 and 6.0 are maintained in parallel by the vendor at the moment.


  • Community Moderator

    @Tom I updated from 6.0.2 to 6.0.4.
    So I understand it when you recommended 6.0.2 or 6.0.0.
    What I don't understand that you recommended 5.2.24 although you have rules for 6.0.2 and 6.0.0.


  • VulnDetect Team Member

    @OLLI_S Because we didn't detect the new version before.
    You know that we have to see the (new) file version before we add a Specific Rule for it. Only for some products do we proactively add new Specific Rules before we actually see the new version. For most products it isn't much of an issue because users start installing the new version very short time after they are released from the vendors, and quite often we see the new versions before the release notes / announcements / security bulletins are published.


  • Community Moderator

    @Tom I have a new issue:
    Today I updated Oracle VirtualBox to version 6.0.4.
    And the recommended version is 5.2.24.

    This is totally confusing for the user.
    Why is such an old version recommended?
    It this recommendation is valid then you have to explain this to the user so he understands this.
    Otherwise he might think that VulnDetect is crap.


  • VulnDetect Team Member

    Yes, that is a good question. I will check all the above again and update the Rules accordingly.

    However, what is important to understand is, that we often see new versions BEFORE the vendor changes the information on their website. For example, in the last two days, we've seen build 3177 of the Sublime text editor, but build 3177 is not listed on the site, not even as a dev or beta version, so build 3176 is still the recommended one. The same is often the case with Skype, we see the new version and two or three days later they update their changelog.

    When we don't see any posting about a new version, we will usually not recommend it - at least not for software where the vendor usually does post this information. But then there is exceptions like with some of the gaming software, where there is no official announcements and in these cases we just update the recommended to the highest version number we have seen.

    In short, if you see that the vendor starts to recommend a different version than we do, then make a post or send me a message on the chat and we shall update it as soon as possible.

    TeamSpeak: Updated
    Vortex: Updated to 0.16.12
    Elite Dangerous: 3.2.1.300 is the newest we have seen. Do you have a URL where we can see release information?

    We always show "OK" if the version hasn't been flagged as vulnerable. You have previously suggested that we make it more clear that it is outdated or that another version is recommended. This is something we are still considering, so no immediate plans to change this. I mean, it is "VulnDetect", not "OldVersionDetect" 😉

    But thank you for highlighting these cases 😄