Security vulnerabilities are regularly published by the dozens, and software vendors are in a constant race to event updates that patch or mitigate them. This happens at an fifty-fifty faster pace in popular platforms that are appealing to researchers and attackers alike. That makes Microsoft’south Windows operating arrangement — the leading desktop operating organisation by marketplace share — a high-profile target, with a abiding stream of vulnerabilities published regularly. Microsoft uses its monthly Patch Tuesday updates to automatically secure many Windows devices from those vulnerabilities.
That ways virtually users are safe because they have an up-to-engagement version of Windows. Notwithstanding, there are many environments in which that is non the case. For example, industrial networks are often not managed, and are isolated from the online update services, meaning that many computers are left unpatched and vulnerable.
In these cases, IT administrators volition still desire to know based on the installed updates on a host, what vulnerabilities remain unpatched. In other words, to determine which vulnerabilities are resolved given a list of installed patches.
During our research nosotros found this chore difficult because of unlike complexities in the Microsoft update process. We will draw these challenges and walk through the journey of collecting information from dissimilar sources, building a dependency flow of updates, and eventually listing all remaining vulnerabilities on a host based on the list of installed updates.
Earlier nosotros dig into the specifics of what nosotros found, information technology’south important to understand some terminology.
Patch Tuesday – Since October 2003, Microsoft has published security updates across its product lines on the 2nd Tuesday of every month, known as Patch Tuesday. This predictable update cycle has been the centerpiece of vulnerability management programs for almost twenty years, allowing users to build routines around patching Microsoft vulnerabilities.
Knowledge Base (KB)
– Microsoft KBs are a repository of manufactures describing issues affecting Windows and other Microsoft products. Security updates start with the letters KB and refer to a specific Knowledge Base article; each KB contains a number of updates and patches. Updates are enumerated “KB123…” and are not sequential, which can lead to confusion when trying to determine patch levels and completeness.
KBs can be found using the
command on a Windows machine:
There are two master types of updates (as explained in Microsoft Docs):
Security-Just Updates (Then) incorporate security updates for the month in which they are released, and each update is product-specific.
Monthly Rollups (MR) are cumulative security and reliability updates. Each Monthly Rollup addresses new security bug for a specific product and will include updates that were previously released.
Below is an illustration of KBs for Windows Server 2012 R2 showing connections between Monthly Rollups and Security-Only Updates.
Windows Version – a reference to a specific Windows operating system, service pack, and build:
Windows 10 build 1909 (aka build 18363)
Windows 10 build 21H1 (aka build 19043)
Windows 7 SP1
The following resources are bachelor from Microsoft, and were useful during our inquiry as we tried to empathize the relationships between specific CVEs and the KBs that remediate or mitigate them.
MSRC (Microsoft Security Response Center)
Every Patch Tuesday, the MSRC publishes a Security Update Guide where users can observe release notes for the KBs. Users can download the guide and map affected products to articles (KBs) and understand the impact of vulnerabilities, their severity as determined by Microsoft, and the CVE (Mutual Vulnerabilities and Exposures) number. From here you tin download an Excel spreadsheet containing this information.
Microsoft Back up
This resource helps users learn more details about specific KBs, in this case beneath, the November 2021 Monthly Rollup. Here, users tin can connect all KBs related to a specific Windows Version.Users can larn which KBs are mapped to which Windows Version via the Microsoft Support resource.
Microsoft Update Catalog
This searchable resources provides information nearly KBs and allows users to download KBs as well. Users should also note the “Bundle Details” tab, which allows users to see how KBs are connected, and which KBs replace previous ones.
Now that we understand the resource available, let’s tackle our trouble, which is to understand the relationships between CVEs and the chain of KBs that remediate vulnerabilities.
For a user wishing to sympathise which KB addresses a detail CVE, the MSRC’s Security Update Guide may not provide enough information because it doesn’t illustrate the cumulative connectedness between KBs. Below, you tin can see this connection: the May Monthly Rollup contains CVE-1, while the June Monthly Rollup contains CVE-2 and likewise CVE-1 because it cumulatively includes the May update. The July Monthly Rollup, meanwhile, is another cumulative rollup that patches CVE-ane, CVE-ii, and CVE-3.
CVE details provided in the Security Update Guide connect just to the first KB that resolves it (blue arrows, below), but not to newer KBs that also comprise the original fix (red arrow), as illustrated below. For this information, users take to brand that connection in the Microsoft Update Itemize, or Microsoft Support folio.
There needs to be a unmarried cumulative mechanism to sympathize the relationships betwixt CVEs and KBs and whether a motorcar is at a current patch level.
Solving Our Trouble
In order to solve the problem nosotros need:
Source 1: For each CVE, the KBs that directly fix it; this information is hands collected from MSRC
Source 2: For each KB, a way to place subsequent KBs. Building this human relationship requires using additional information sources (Microsoft Update Catalog or Microsoft Back up)
Once we accept that information, the procedure would await like this:
1. To determine the first connection between a CVE and all directly KBs that resolve it, download the Excel spreadsheet from MSRC (Source 1).
2. To identify all future KBs that resolve a CVE:
For every KB detailed in MSRC’s spreadsheet, use the list of cumulative KBs that incorporate it (Source 2).
This step will give us a KBs chain, where each KB contains all KBs that were previously published. In the instance beneath, the June Monthly Rollup contains the May Monthly Rollup, and the July Monthly Rollup contains the June Monthly Rollup and hence, also the May Monthly Rollup.
3. To connect CVEs to all the KB chains that remediate them:
For every CVE in the MSRC spreadsheet, determine its direct KB.
If one of the direct KBs is installed on the computer it means the CVE is patched.
If i of the installed KBs is later on that chain than the direct KB resolving this CVE, it also means the CVE is patched. In the example below, the installed KB is the July Monthly Rollup and the direct KB is the May Monthly Rollup. July follows May in the chain, hence this reckoner is not vulnerable to this CVE.
Otherwise, the CVE is not patched and the computer is vulnerable.
Building a KB chain from Microsoft Update Catalog
In the second step above nosotros searched Microsoft Update Itemize to build a concatenation of KBs.
This, yet, turned out to not exist so easy. While collecting KB connections from this source, we discovered that they do not form a single, ane-to-one chain.
The KBs represented below are the blue nodes, and the edges stand for the connection betwixt the KBs based on Catalog searches. You can run across information technology looks similar a mash connection, since the information in Catalog about a specific KB isn’t only the latest KB it’southward continued to, only too all the KBs earlier it.
For example, we should expect them to be in chronological order from January 2020 → February 2020 → March 2020, simply as you can see we also accept the indirect connection between January 20 and March 20.
To go the one-to-one chain we wanted, we searched the mash connections for the longest path, creating this new ane-to-one chronological (however, not sequential) chain graph.
Total flow instance
The example beneath shows the procedure of creating the KB chain and understanding based on installed KBs, what CVEs the estimator is vulnerable to.
Windows version: Windows Server 2012 R2 Date: December 2021, later Patch Tuesday KB Installed: KB5008263, Dec Monthly Rollup, the latest Monthly Rollup for that engagement
To simplify this instance, we volition focus only on some of the CVEs from MSRC that affect Windows Server 2012 R2 (but those with a disquisitional severity and a potential impact of remote code execution upon successful exploitation).
KB5008263 December Monthly Rollup (the installed KB on device)
KB5008285 December Security But
KB5007247 November Monthly Rollup
KB5007255 November Security only
Our question at present: What are the relationships between those 4 KBs?
Here we’ll depict only i way to find the KB relationships using Catalog; alternatively you lot tin can use other resources such equally Support to make faster connections rather than recursively gather data. Just take notation that the connections aren’t always the same and you should cull the way that better suits you.
Below is a search in Catalog for a specific KB for case KB5008263, the Dec Monthly Rollup:
In the Package Details, you tin can detect KB5007247 among the KBs that KB5008263 replaced, showing the cumulative Monthly Rollup from Dec to November.
This demonstrates the relationship between 4 CVEs for this Windows Version from MSRC and its corresponding KBs:
Straight installed KB impact: December Monthly Rollup remediates all 3 of December’s CVEs.
Cumulative impact: December Monthly Rollup remediates November’due south CVE because it contains the November Monthly Rollup.
Windows updates are complex. The information about them is spread among multiple sources and the relationships between them is not straightforward.
Nosotros showed, however, that this can exist untangled past properly understanding the machinery to its full extent. This is an important step for a security practitioner to be able to have an accurate view of vulnerabilities that put their network at risk.
We have demonstrated how you can connect both a CVE to all the KBs that resolve it, and a KB to all the CVEs it resolves. The next fourth dimension you hear about a new vulnerability, y’all have the knowledge and tools to verify if you lot’re patched.
Mapping the existing installed updates to applicative vulnerabilities, while sometimes more than complex than you would have thought, tin can be accomplished with a bit of research and investment.