One of the most common false positive cases we see from a support perspective is a situation where Nexpose reports a vulnerability because a specific patch is not installed, but when you try to apply the patch, the system will not let you install it and says the patch is not applicable.
In many cases, this ends up being caused by another patch that is installed on the system that prevents the patch you are trying to install from being installed. Sometimes the patch that is installed and preventing the other patch fixes the vulnerability associated with the patch that is not installed. In other cases, I have found the patch that is preventing the other patch does not appear to fix the vulnerability.
For example, let’s look at MS11-013 for a minute. Based on this:
It appears you need to install KB2425227 to fix this vulnerability. However, I have found that if you have KB2743555 installed, you will not be able to install KB2425227. So let’s look at KB2743555 (MS12-069) for a minute:
If I’m reading this article correctly and I have a Server 2008 R2 system, it looks like KB2743555 replaces KB2425227 IF I have an Itanium-based system. However, if I have an x64-based system, it looks like this patch DOES NOT replace KB2425227 and I would need to have both installed on my system to fix the vulnerabilities associated with MS12-069 and MS11-013. Unfortunately, I have found that if you have an x64-based Server 2008 R2 system, and you happen to install KB2743555 first, it will still prevent you from installing KB2425227 even though based on the information on Microsoft’s website, KB2425227 should be applied to this system.
Now let’s take a look at MS12-081. Based on this:
It appears you need to install KB2758857 to fix this vulnerability. However, I have found that if you have KB2726535 installed, you will not be able to install KB2758857. What’s interesting about this one is if you look at the Microsoft Knowledge Base Article for MS12-081:
under the ‘More information about this security update’ section, you will find the following:
Known issues with this security update
This security update is not offered by Windows Update if update 2726535 is already applied on your computer. Additionally, if you try to install the stand-alone package of this security update, you receive a “The update is not applicable to your computer” error message.
To resolve this issue, uninstall update 2726535, and then install this security update. After this security update is applied, reinstall update 2726535.
Note there is no security risk that is introduced by this issue. The system is protected against the vulnerability that is described in Bulletin MS12-081 if update 2726535 is applied.
In this case, if I had a system that had 2726535 applied to it, there is a good chance I would still get flagged for MS12-081 and see something like this in my scan log:
(WINDOWS-HOTFIX-MS12-081-6391387) - VULNERABLE
Taking it a step further, if I open up the specific MS12-081-6391387 vulnerability check, I see it looks for KB2758857, but does not appear to take KB2726535 into consideration. I would consider this example a false positive, and recently filed a defect with our development team to improve our check for MS12-081 so that it also checks to see if 2726535 is installed.
However, what about the first example?
To be honest I don’t know and I certainly do not consider myself a subject matter expert on the vulnerability associated with MS11-013.
Ultimately, I am writing this blog for 2 reasons:
1. To begin building a list of patches that prevent other patches from being installed. I will continue to contribute to this list as I uncover items to add to it and hope others will do the same. Hopefully at least a few people out there will get a few hours of their life back as a result of it and be able to get some ‘not applicable’ patches installed.
2. To open a discussion on these patches. Does the patch in the first example really fix the vulnerability on an x64-based Server 2008 R2 system? Is that just a typo on Microsoft’s website? Or is it a false negative on Microsoft’s side, and the MBSA you are looking at is telling you that you are fully patched even though you really aren’t? And if that is the case, how many systems like this are out there in the wild?
Please feel free to add any comments or feedback below. Or if you have found any patches that prevent other patches from being installed please add them to the list. I’ll start with the 5 that I’ve found so far.