WannaCry(pt) update: Microsoft doesn’t make things easy

Last October, Microsoft changed its Windows Update delivery model. Previously, Microsoft would release one or more individual patches for each new vulnerability. Now, Microsoft rolls up multiple patches into monthly update rollups that are also cumulative. For example, if one were to install the Cumulative Quality Update for March 2017, they would also receive all the patches that were released in February 2017, January 2017, going all the way back to October 2016. The most recent Cumulative Update therefore supersedes all previous cumulative updates. Furthermore, the Monthly Updates are available in two varieties: the Quality Update Rollup and the Security-Only Update Rollup. The Quality Update Rollup implies the Security-Only Rollup.

This introduces a difficulty in effective reporting for any particular vulnerability. After a Cumulative Update is installed, it replaces the previous cumulative update in the inventory of installed patches on the OS. If you have the April 2017 security update installed on your system, it will no longer report that the March 2017 update is present. The Microsoft security bulletin for MS17-010 lists all the March 2017 KB updates that patch the vulnerability, but ONLY the March KB numbers. If you have the April 2017 updates installed, none of the KB updates listed in the March document will appear as installed on your system, even though the vulnerability remains effectively patched by the subsequent cumulative security update. This is counterintuitive to many, who are used to being able to look at Windows Updates, scan for the specific KB article they know fixes a problem, and be able to quickly determine whether or not their system is effectively patched.

In order to determine if any given system is patched against the MS17-010 vulnerability (“WannaCrypt”), one has to scan for 28 possible updates (as of this writing) that could be installed on a system that will successfully patch that vulnerability. The good news is that if a system is missing the critical updates that patch the MS17-010 vulnerability, they will still be immediately visible on your patch report. The Windows Update Agent reliably determines if available security updates are missing from a system, and our advanced patch report reflects that.

If Innovative provides automated patching services to your company but you do not receive a patch report and would like to in the future, we can add you to the distribution list – just ask!

Please feel free to review this Microsoft article for more information regarding MS17-010.