We had a nearly identical issue with comctl32.ocx turning up as out of date and marked as a major vulnerability. I took these steps and it resolved the vulnerability issue:
- Downloaded the VB 6 SP 6 SRU from microsoft as sean.martinez pointed out.
- Extracted the files without installing using the following command line (as administrator):
- C:\Temp>msiexec /a c:\temp\vb60sp6-kb2708437-x86-enu.msi /qb targetdir=c:\temp\vb
- NOTE: I placed the downloaded .mis into a directory called temp on the c: drive and created a sub-folder called vb in the same temp folder.
- Manually copied the comctl32.ocx file from c:\temp\vb\system\ to c:\windows\system32\ and opted to copy and replace.
- Rebooted the server.
- Had our IA folks rescan the system running syslog server.
- Celebrated and rejoiced when the scan passed clean.
I hope this helps others in similar situations.