Patch Supercedence: How it works in detail

Document created by Jeff Leggett Employee on Feb 9, 2018Last modified by Robert Dell'Immagine on Feb 9, 2018
Version 4Show Document
  • View in full screen mode

When it comes to Microsoft patch supercedence, a lot of factors come into play which include but are not limited to:

  1. Operating system
  2. Architecture: 32-bit, 64-bit
  3. Service pack: none, SP1, SP2...
  4. Service Release: base, R1, R2

 

Among other factors, like End-of-Life products. This adds to the complexity of patching when viewing large environments that widely range in Operating System architectures.

 

Taking these examples:

IP: 10.0.1.10
OS: Windows Server 2008 R2 Enterprise 64 bit Edition Service Pack 1
Detected QIDs: [91158, 105489, 90551, 90698, 90716, 90987, 100215, 90996, 122826, 90998, 90997, 100218, 91005, 91012, 91007, 100220, 91016, 91017, 91018, 100227, 91029, 91027, 91028, 91026, 91030, 91025, 100229, 91041, 91038, 100232, 91056, 91053, 91048, 91049, 91052, 100237, 91060, 91059, 90047, 100244, 91064, 91069, 91070, 91065, 91067, 91071, 91066, 91075, 100247, 91085, 91081, 91079, 91083, 100249, 100257, 91094, 91091, 100259, 91099, 100266, 91112, 91104, 91110, 91107, 100269, 91140, 91139, 91135, 91133, 100273, 91150, 91153, 91151, 91149, 100276, 91165, 91169, 91167, 100277, 91182, 91181, 91178, 91185, 91180, 100281, 91204, 124885, 91198, 100284, 91209, 91211, 91208, 91218, 100288, 91213, 91236, 91237, 91238, 100290, 91248, 91253, 91254, 100294, 91262, 91260, 91275, 91272, 91276, 91267, 91273, 105665]

 

Example of a QID that has new MS patches that supercede it, but still appear with "Exclude superceded patches" filter:

  • Detected: 90716 Microsoft XML Editor Information Disclosure Vulnerability (MS11-049)
    • Supercedence Chain for 90716:
    • 90716(ms11-049) > 90834(ms12-070) > 90973(ms14-044)-Nothing Supercedes

 

Explanation

Scan reports with Exclude Superceded Patches work like this:

  1. Walk the chain of "supercedence" relationships from QID A (the "root") until it ends - i.e. we get to a QID Z which is not superseded by anything else.
  2. Backtrack along the chain from Z until we get to a QID F which satisfies both of the following conditions:
    1. F was detected (on the host where A was detected)
    2. F is not filtered/excluded by any Patch filters selected for the Patch Report

 

An important note to understand is we are working with Vulnerabilities found on hosts not patched, and there will be many instances where a patch has been installed, but the vulnerable files are left behind which leaves the QID open. As such, using 'Exclude Superceded Patches' is working on QIDs on hosts, not either or not patches are or are not already on the hosts.

 

For QIDs 90834 and 90973, they have not been detected on the host, so 90716 remains the highest advisable patch.

 

Example of a QID that has no MS Patches that supercede it:

QID 90856 Microsoft Open Data Protocol Denial of Service Vulnerability (MS13-007)

 

Full QID breakdown for IP 10.0.1.10:

91017 supercedes: 91005
91026 supercedes: 91018
91049 supercedes: 90996, 91016, 91028
91052 supercedes: 91025
91081 supercedes: 91064
91099 supercedes: 91029
91165 supercedes: 91151, 91149
91181 supercedes: 90987
91204 supercedes: 90551, 91027, 91038, 91056, 91053, 91059, 91070, 91065, 91066, 91075, 91085, 91094, 91112, 91140, 91150, 91169, 91185, 91180
91237 supercedes: 91182, 91209
91272 supercedes: 91139, 91153
91275 supercedes: 91218, 91236, 91253, 91262
91276 supercedes: 91030, 91069, 91260
100247 supercedes: 100215, 100218, 100220, 100227, 100229, 100232, 100237, 100244
100294 supercedes: 100249, 100257, 100259, 100266, 100269, 100273, 100276, 100277, 100281, 100284, 100288, 100290
124885 supercedes: 122826

 

Not superceded: 90047, 90698, 90716, 90997, 90998, 91007, 91012, 91017, 91026, 91041, 91048, 91049, 91052, 91060, 91067, 91071, 91079, 91081, 91083, 91091, 91099, 91104, 91107, 91110, 91133, 91135, 91158, 91165, 91167, 91178, 91181, 91198, 91204, 91208, 91211, 91213, 91237, 91238, 91248, 91254, 91267, 91272, 91273, 91275, 91276, 100247, 100294, 105489, 105665, 124885

 

(Will update when the Supercedence API becomes available with examples)

3 people found this helpful

Attachments

    Outcomes