What is cumulative update and security update?
Security vulnerabilities are regularly published by the dozens, and software vendors are in a constant race to issue updates that patch or mitigate them. This happens at an even faster pace in popular platforms that are appealing to researchers and attackers alike. That makes Microsoft’s Windows operating system — the leading desktop operating system by market share — a high-profile target, with a constant stream of vulnerabilities published regularly. Microsoft uses its monthly Patch Tuesday updates to automatically secure many Windows devices from those vulnerabilities. Show
That means most users are safe because they have an up-to-date version of Windows. However, there are many environments in which that is not the case. For example, industrial networks are often not managed, and are isolated from the online update services, meaning that many computers are left unpatched and vulnerable. In these cases, IT administrators will still want to know based on the installed updates on a host, what vulnerabilities remain unpatched. In other words, to determine which vulnerabilities are resolved given a list of installed patches. During our research we found this task difficult because of different complexities in the Microsoft update process. We will describe these challenges and walk through the journey of collecting data from different sources, building a dependency flow of updates, and eventually listing all remaining vulnerabilities on a host based on the list of installed updates. GlossaryBefore we dig into the specifics of what we found, it’s important to understand some terminology.
KBs can be found using the systeminfo command on a Windows machine: There are two main types of updates (as explained in Microsoft Docs):
Below is an illustration of KBs for Windows Server 2012 R2 showing connections between Monthly Rollups and Security-Only Updates.
Available ResourcesThe following resources are available from Microsoft, and were useful during our research as we tried to understand the relationships between specific CVEs and the KBs that remediate or mitigate them. MSRC (Microsoft Security Response Center)Every Patch Tuesday, the MSRC publishes a Security Update Guide where users can find release notes for the KBs. Users can download the guide and map affected products to articles (KBs) and understand the impact of vulnerabilities, their severity as determined by Microsoft, and the CVE (Common Vulnerabilities and Exposures) number. From here you can download an Excel spreadsheet containing this information. Microsoft’s Security Update Guide information, including a KB article and CVE.Microsoft SupportThis resource helps users learn more details about specific KBs, in this case below, the November 2021 Monthly Rollup. Here, users can connect all KBs related to a specific Windows Version.Users can learn which KBs are mapped to which Windows Version via the Microsoft Support resource. Users can learn which KBs are mapped to which Windows Version via the Microsoft Support resource.Microsoft Update CatalogThis searchable resource provides information about KBs and allows users to download KBs as well. Users should also note the “Package Details” tab, which allows users to see how KBs are connected, and which KBs replace previous ones. The Package Details tab shows previous KBs related to a particular Windows version and build.Our ProblemNow that we understand the resources available, let’s tackle our problem, which is to understand the relationships between CVEs and the chain of KBs that remediate vulnerabilities. For a user wishing to understand which KB addresses a particular CVE, the MSRC’s Security Update Guide may not provide enough information because it doesn’t illustrate the cumulative connection between KBs. Below, you can see this connection: the May Monthly Rollup contains CVE-1, while the June Monthly Rollup contains CVE-2 and also CVE-1 because it cumulatively includes the May update. The July Monthly Rollup, meanwhile, is another cumulative rollup that patches CVE-1, CVE-2, and CVE-3. The cumulative connection between KBs.CVE details provided in the Security Update Guide connect only to the first KB that resolves it (blue arrows, below), but not to newer KBs that also contain the original fix (red arrow), as illustrated below. For this information, users have to make that connection in the Microsoft Update Catalog, or Microsoft Support page. MSRC’s Security Update Guide, left, shows that a particular CVE is included in the current month’s Monthly Rollup and Security-Only Update, but it isn’t updated in later months to show that it’s also addressed in a future cumulative Monthly Rollup.There needs to be a single cumulative mechanism to understand the relationships between CVEs and KBs and whether a machine is at a current patch level. Solving Our ProblemIn order to solve the problem we need:
Once we have that information, the process would look like this: 1. To determine the first connection between a CVE and all direct KBs that resolve it, download the Excel spreadsheet from MSRC (Source 1). 2. To identify all future KBs that resolve a CVE:
3. To connect CVEs to all the KB chains that remediate them:
Building a KB chain from Microsoft Update CatalogIn the second step above we searched Microsoft Update Catalog to build a chain of KBs. This, however, turned out to not be so easy. While collecting KB connections from this source, we discovered that they do not form a single, one-to-one chain. The KBs represented below are the blue nodes, and the edges represent the connection between the KBs based on Catalog searches. You can see it looks like a mash connection, since the information in Catalog about a specific KB isn’t only the latest KB it’s connected to, but also all the KBs before it. For example, we should expect them to be in chronological order from January 2020 → February 2020 → March 2020, but as you can see we also have the indirect connection between January 20 and March 20. A graphical representation of Knowledge Bases and their direct and indirect connections.To get the one-to-one chain we wanted, we searched the mash connections for the longest path, creating this new one-to-one chronological (however, not sequential) chain graph. A one-to-one relationship between KBs.Full flow exampleThe example below shows the process of creating the KB chain and understanding based on installed KBs, what CVEs the computer is vulnerable to. Windows version: Windows Server 2012 R2 Date: December 2021, after Patch Tuesday KB Installed: KB5008263, December Monthly Rollup, the latest Monthly Rollup for that dateTo simplify this example, we will focus only on some of the CVEs from MSRC that affect Windows Server 2012 R2 (only those with a critical severity and a potential impact of remote code execution upon successful exploitation). Highlighted below:
Our question now: What are the relationships between those four KBs? Here we’ll describe only one way to find the KB relationships using Catalog; alternatively you can use other resources such as Support to make faster connections rather than recursively gather information. But take note that the connections aren’t always the same and you should choose the way that better suits you. Below is a search in Catalog for a specific KB for example KB5008263, the December Monthly Rollup: KB5008263 in the Microsoft Update Catalog.In the Package Details, you can find KB5007247 among the KBs that KB5008263 replaced, showing the cumulative Monthly Rollup from December to November. KB5008263 details in the Microsoft Update Catalog.This demonstrates the relationship between four CVEs for this Windows Version from MSRC and its corresponding KBs:
SummaryWindows updates are complex. The information about them is spread among multiple sources and the relationships between them is not straightforward. We showed, however, that this can be untangled by properly understanding the mechanism to its full extent. This is an important step for a security practitioner to be able to have an accurate view of vulnerabilities that put their network at risk. We have demonstrated how you can connect both a CVE to all the KBs that resolve it, and a KB to all the CVEs it resolves. The next time you hear about a new vulnerability, you have the knowledge and tools to verify if you’re patched. Mapping the existing installed updates to applicable vulnerabilities, while sometimes more complex than you would have thought, can be achieved with a bit of research and investment. What is cumulative security update?Security updates or critical updates mitigate vulnerabilities against security exploits against Microsoft Windows. Cumulative updates are updates that bundle multiple updates, both new and previously released updates.
Does cumulative update include security updates?Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Is cumulative update necessary?Quality updates (also are referred to as "cumulative updates" or "cumulative quality updates") are the mandatory updates that your computer downloads and installs automatically every month through Windows Update. Usually, every second Tuesday of every month ("Patch Tuesday").
What is the purpose of a security update?In simple terms, security updates are software updates primarily focused on patching existing bugs or flaws to improve software security. So if a hacker discovers a way to take over your device remotely, this is a bug and a security update can help fix it.
|