[jvl45]

Background

I just started in the new position of IT Security at a company. I immediately started vulnerability scans. One of the scans are monthly scans for compliance to Microsoft patches (using Nessus). The scans results indicate what patches have not been installed. Several groups inside of the company have been scanned and have caught up with their patching - using MS WSUS.

One team, which has fallen substantially behind in their patching of their Windows XP Professional PC's, has told me they are only installing recent patches since the ones they are installing supersede those patches that came out in 03, 04, 05,06,07 and some of 08. They have fears that installation of older patches will nullify more recent patches.

My thoughts/questions are:

1. They couldn't tell me what patches superseded each other so I could adjust my scan accordingly. I believe they never patched from the beginning and only started patching in July of 08 - starting with current patches only. Without a "supersede" list in hand, I believe there are still vulnerabilities that could be exploited.

2. I believe, but would like someone to confirm, that WSUS would take care of the proper versioning of patches. Installing an older patch, after an more recent patch was installed first, would not nullify the newer patch.

3. Does MS keep a master list of what what patches supersede each other?

[cluberti]

jvl45, on Sep 16 2009, 10:09 AM, said:

1. They couldn't tell me what patches superseded each other so I could adjust my scan accordingly. I believe they never patched from the beginning and only started patching in July of 08 - starting with current patches only. Without a "supersede" list in hand, I believe there are still vulnerabilities that could be exploited.

Most Windows binaries are updated cumulatively - if you have a newer version of a binary from a newer patch level, then that patch supercedes an older patch that updates the same binary. However, with WinSXS, dllcache, and the potential for having multiple versions of files on the same machine, it is possible for a vulnerability scan to detect missing patches when a quick glance at a binary on the box (for example, a .dll in system32) shows it's newer than an old patch - a vulnerable version may still be located on the machine.

jvl45, on Sep 16 2009, 10:09 AM, said:

2. I believe, but would like someone to confirm, that WSUS would take care of the proper versioning of patches. Installing an older patch, after an more recent patch was installed first, would not nullify the newer patch.

WSUS would indeed care for proper deployment and versioning, as it uses the same AU engine that Windows Update, MBSA, etc all use when scanning and patching machines.

jvl45, on Sep 16 2009, 10:09 AM, said:

3. Does MS keep a master list of what what patches supersede each other?

Yes. Most KB articles for patches have an "IT Professional" link that points to the technet page for the article. This will contain a list of updates the patch supercedes. Note that this can also be found in WSUS when looking at a specific patch.

You are right to worry about installing older patches though - they can "break" newer patches depending on how far back they go. It would probably be wise to consider that it may be easier to simply install SP3 and use WSUS to handle the rest. Considering all support for XPSP2 will end in July 2010, it would make sense to have them start planning for an upgrade to SP3 now rather than wait, given the current patching situation. SP3 has been available since April 2008, there's really no reason that they should still have app compat issues that would require SP2 at this point, these (if they exist) should have been mitigated in the last 17 months.

Otherwise, you can try to introduce WSUS into the current situation and hope it's able to "catch them up". You'll probably have a stray machine or 3 that simply won't install a patch that WSUS insists they're missing, and you'll have to handle those one-off instances as they come up.