I was recently putting together material for a recurring vulnerability management meeting with one of our clients. This involves comparing authenticated scanning results from one scanning period to the next in an effort to determine progress in addressing high-risk vulnerabilities; particularly, missing Microsoft, Adobe and Java patches, as vulnerabilities in these products are generally considered of highest risk for client-side exploitation by malware, directed attacks via phishing, etc.

In previous meetings, this client had several instances where they were missing a patch related to Microsoft Security Bulletin MS14-058, which was released on October 14, 2014. This is a vulnerability with the highest severity rating given by Microsoft – ‘Critical’ – in which an attacker could perform remote code execution by exploiting a vulnerability in the kernel-mode driver¹.   In compiling data for today’s meeting, I found their active vulnerability count for MS14-058 had dropped significantly. This is to be expected as MS14-058 was superseded by Microsoft Security Bulletin MS14-079 on November 11 addressing a denial of service vulnerability in the very same kernel-mode driver². However, MS14-079 was nowhere to be found within the new list of active high-risk vulnerabilities. This puzzled me as I had assumed that when a patch with a ‘Critical’ rating was superseded, the superseding patch should logically also be rated as ‘Critical’. In this case, MS14-079 is actually rated as a ‘Moderate’ risk by Microsoft, which is the third highest severity rating (behind ‘Critical’ and ‘Important’) Microsoft gives its security bulletins.

The above situation got me thinking. What if an organization had a patch management process in which it did not immediately patch vulnerabilities due to lack of manpower, pre-patch testing and usability requirements or simply a lack of urgency? What if an organization only deployed patches (whether through a patch management system or manual patching) with a ‘Critical’ or ‘Important’ rating, but accepted the risk and allowed ‘Moderate’ and ‘Low’ issues to go unpatched? Is it possible a ‘Critical’-rated patch could be superseded by a lower-risk patch before the ‘Critical’-rated issue could be addressed? If so, this would mask the fact the organization had an unpatched ‘Critical’-rated vulnerability on their network and greatly increasing their risk.

Imagine the following scenario: An organization has a quarterly patching process in which only those Microsoft patches rated ‘Critical’ and ‘Important’ are applied on the 1st day of each quarter. On October 1, the organization applies all known patches. On October 14, ‘Patch Tuesday’ arrives and among other ‘Critical’ patches, MS14-058 is released. Since the next patching cycle is not until January 1, these patches are not applied. November’s patch Tuesday arrives and MS14-058 is superseded by MS14-079. However, MS14-079 is rated ‘Moderate’. When January 1 arrives and the organization goes to apply all of their ‘Critical’ and ‘Important’ patches, MS14-079 is not included. However, this also means that MS14-058 is not included. The organization now thinks they have patched all of their Critical vulnerabilities and reduced their risk; unfortunately, because of Microsoft’s current superseding mechanism, the organization still has a Critical vulnerability on every Microsoft system across their network, leaving them at risk for exploitation.

I decided to test this theory for myself. Since I was up to date on patches on my Windows 7 image as of this morning, I uninstalled MS14-079, rebooted my machine, then ran Windows Update. The following is a screenshot of what I saw: 

Windows Security Update

(Click the image for a larger version) 

Obviously, since I removed MS14-079 (KB3002885), it now shows I am missing this patch.

Note: The fact that it shows up in Windows Update as ‘Important’, but the KB article calls it ‘Moderate’ shows a bit of inconsistency on Microsoft’s part. Different patch management systems may handle these designations differently.

 I then uninstalled MS14-058 (KB3000061):

Windows Update Uninstall

(Click the image for a larger version) 

After again rebooting the system and running Windows Update, my theory proved to be true. I am shown that I am missing the ‘Moderate’-risk MS14-079, completely masking the fact I am also missing a ‘Critical’ update in MS14-058:  

Windows Security Update

(Click the image for a larger version) 

I also took a look at how Windows Server Update Services (WSUS) handles this superseding situation. Once again, it only shows I am missing a ‘Moderate’ risk update and that I should manually “verify…the superseding update first.”

Windows Security Update Notice

(Click the image for a larger version)  

 

Although MS14-079 is of ‘Moderate’ risk, that is only true if you have already patched for MS14-058. I have posed this question to Microsoft on their Facebook page and am awaiting an answer. Bottom line, Microsoft needs to have a mechanism within its patch rating and Windows Update mechanisms that determine if any superseded patches have not been applied and upgrade the rating of that bulletin appropriately. An even better solution would be where a new policy is instituted where a patch can only supersede another patch of equal or lesser risk rating; otherwise, a new, non-superseding patch should be released. I will update this post if and when I hear back from Microsoft – stay tuned!

____________________________________

¹ “Microsoft Security Bulletin MS14-058”
² “Microsoft Security Bulletin MS14-079”