Microsoft IIS 7.5 EOL

Microsoft IIS 7.5 is EOL but not reflected in the GCF.

Suggested change in products_eol.inc line 234:

'versions',      '6.0:2015-07-14;5.1:2014-04-08;5.0:2010-07-13;4.0:2002-12-31;3.0:2002-12-31;2.0:2002-12-31;1.0:2000-09-30',

to

'versions',      '7.5:2020-01-14;6.0:2015-07-14;5.1:2014-04-08;5.0:2010-07-13;4.0:2002-12-31;3.0:2002-12-31;2.0:2002-12-31;1.0:2000-09-30',

Reference:

• https://docs.microsoft.com/nl-nl/lifecycle/products/microsoft-internet-information-services-75
• https://docs.microsoft.com/nl-nl/lifecycle/products/windows-server-2008-r2

Hi there,

thanks for bringing this to our attention. The EOL dates will be updated accordingly.

Cheers

One addition to this:

We’re already aware (previous to this report) that IIS 7.5 is EOL but currently can’t / won’t add the date to the mentioned file for the same reason mentioned in https://community.greenbone.net/t/missing-windows-version-in-os-end-of-life-detection/4837/2:

Windows 7 and Windows Server 2008 are covered by the Extended Security Updates (ESU) program of Microsoft and we currently can’t discern between systems covered by ESU and the ones which are not covered (especially remotely) which would mean that we would report a false positive for systems covered by ESU.

Edit: Fixed link

Thank you for your answer. The link you mention doens’t seem to exist or is private.

I understand the decision to not add this because it’s covered in ESU, but don’t you think more systems are running without ESU which are vulnerable but not visible?

There are two outcomes by don’t including 7.5 as EOL because of ESU:
1.Prevent false positives in case ESU is being used in networks.
2. Hide many vulnerable systems which are not enrolled in ESU

Maybe it is a better option to create a scan config option for ESU or where an user can enable/disable ESU in the Greenbone software itself.

Just some thoughts!

If you remove the colon at the end, it works