Patch Supersedence: How it works in detail

Document created by Jeff Leggett Employee on Feb 9, 2018Last modified by Nick Williams on Sep 17, 2018
Version 7Show Document
  • View in full screen mode

When it comes to Microsoft patch supersedence, a lot of factors come into play which include but are not limited to:

  1. Operating system
  2. Architecture: 32-bit, 64-bit
  3. Service pack: none, SP1, SP2...
  4. Service Release: base, R1, R2

 

Among other factors, like End-of-Life products. This adds to the complexity of patching when viewing large environments that widely range in Operating System architectures.

* An Important Note to take into consideration when reviewing data relating to supersedence, is that the current implementation is primarily designed for OS level patches and not application level patches. For that reason, patch reports will only take into consideration on the OS level for which patch to recommend.

 

Taking these examples:

IP: 10.0.1.10
OS: Windows Server 2008 R2 Enterprise 64 bit Edition Service Pack 1
Detected QIDs: [91158, 105489, 90551, 90698, 90716, 90987, 100215, 90996, 122826, 90998, 90997, 100218, 91005, 91012, 91007, 100220, 91016, 91017, 91018, 100227, 91029, 91027, 91028, 91026, 91030, 91025, 100229, 91041, 91038, 100232, 91056, 91053, 91048, 91049, 91052, 100237, 91060, 91059, 90047, 100244, 91064, 91069, 91070, 91065, 91067, 91071, 91066, 91075, 100247, 91085, 91081, 91079, 91083, 100249, 100257, 91094, 91091, 100259, 91099, 100266, 91112, 91104, 91110, 91107, 100269, 91140, 91139, 91135, 91133, 100273, 91150, 91153, 91151, 91149, 100276, 91165, 91169, 91167, 100277, 91182, 91181, 91178, 91185, 91180, 100281, 91204, 124885, 91198, 100284, 91209, 91211, 91208, 91218, 100288, 91213, 91236, 91237, 91238, 100290, 91248, 91253, 91254, 100294, 91262, 91260, 91275, 91272, 91276, 91267, 91273, 105665]

 

Example of a QID that has new MS patches that supersede it, but still appear with "Exclude superseded patches" filter:

  • Detected: 90716 Microsoft XML Editor Information Disclosure Vulnerability (MS11-049)
    • Supersedence Chain for 90716:
    • 90716(ms11-049) > 90834(ms12-070) > 90973(ms14-044)-Nothing Supersedes

 

Explanation

Scan reports with Exclude Superseded Patches work like this:

  1. Walk the chain of "supersedence" relationships from QID A (the "root") until it ends - i.e. we get to a QID Z which is not superseded by anything else.
  2. Backtrack along the chain from Z until we get to a QID F which satisfies both of the following conditions:
    1. F was detected (on the host where A was detected)
    2. F is not filtered/excluded by any Patch filters selected for the Patch Report

 

* An important note to understand here is the data being analyzed is regarding Vulnerabilities found on hosts, not patches. There will be many circumstances where a patch has been installed, but vulnerable files are left behind for one reason or another, which means the QID will continue to be flagged. This can lead to confusion when reviewing a Patch Report and seeing a QID that has been confirmed as having its patch installed. As such, using the 'Exclude Superseded Patches' feature is analyzing QIDs that are flagged on hosts, not whether or not patches are installed or missing on those hosts.

 

For QIDs 90834 and 90973, they have not been detected on the host, so 90716 remains the highest advisable patch.

 

Example of a QID that has no MS Patches that supersede it:

QID 90856 Microsoft Open Data Protocol Denial of Service Vulnerability (MS13-007)

 

Full QID breakdown for IP 10.0.1.10:

91017 supersedes: 91005
91026 supersedes: 91018
91049 supersedes: 90996, 91016, 91028
91052 supersedes: 91025
91081 supersedes: 91064
91099 supersedes: 91029
91165 supersedes: 91151, 91149
91181 supersedes: 90987
91204 supersedes: 90551, 91027, 91038, 91056, 91053, 91059, 91070, 91065, 91066, 91075, 91085, 91094, 91112, 91140, 91150, 91169, 91185, 91180
91237 supersedes: 91182, 91209
91272 supersedes: 91139, 91153
91275 supersedes: 91218, 91236, 91253, 91262
91276 supersedes: 91030, 91069, 91260
100247 supersedes: 100215, 100218, 100220, 100227, 100229, 100232, 100237, 100244
100294 supersedes: 100249, 100257, 100259, 100266, 100269, 100273, 100276, 100277, 100281, 100284, 100288, 100290
124885 supersedes: 122826

 

Not superseded: 90047, 90698, 90716, 90997, 90998, 91007, 91012, 91017, 91026, 91041, 91048, 91049, 91052, 91060, 91067, 91071, 91079, 91081, 91083, 91091, 91099, 91104, 91107, 91110, 91133, 91135, 91158, 91165, 91167, 91178, 91181, 91198, 91204, 91208, 91211, 91213, 91237, 91238, 91248, 91254, 91267, 91272, 91273, 91275, 91276, 100247, 100294, 105489, 105665, 124885

 

(Will update when the Supersedence API becomes available with examples)

5 people found this helpful

Attachments

    Outcomes