.NET Framework False Positives

@BaiYunfei Can you please urgently check why the following patches are still applicable (and there may be more) when the December 2016 Security and Quality Rollup for .NET Framework (KB3205402) has been installed.

MS16-035: Security Update for .NET Framework to Address Security Feature Bypass - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - LDR Branch - KB3135996 (x64)
MS16-035: Security Update for .NET Framework to Address Security Feature Bypass - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - KB3135996 (x64)
MS16-091: Security Update for .NET Framework - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - KB3163251 (x64)
MS16-065: Security Update for .NET Framework - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - KB3142033 (x64)
MS16-019: Security Update for .NET Framework to Address Denial of Service - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - KB3127229 (x64)
MS16-019: Security Update for .NET Framework to Address Denial of Service - Windows Server 2008 R2 SP1 / Windows 7 SP1 - .NET Framework 4.5.2 - KB3122656 (x64)

If you look at the Microsoft article, this rollup should replace all previously released updates - https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/

Thanks.

Hi @nicksberger,

Thanks for the report, we will analyze this and post an update by early next week. Thank you!

The supersedence has been fixed, kindly gather the latest Patches for Windows site.

Thank you!

1 Like

I think, these should be also superseded:

40398 MS14-053: Vulnerability in .NET Framework Could Allow Denial of Service - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB2972216 (x64)
40444 MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB2978128 (x64)
40691 MS15-041: Vulnerability in .NET Framework Could Allow Information Disclosure - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3037581 (x64)
40627 MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3023224 (x64)
40918 MS15-101: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3074230 (x64)
40932 MS15-101: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3074550 (x64)
41070 MS15-118: Security Update for .NET Framework to Address Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3097996 (x64)
41081 MS15-118: Security Update for .NET Framework to Address Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3098781 (x64)

We modified how the .NET supersedence is done, to cater for customers who are applying Security Only patches and not applying the rollups. Instead of marking them superseded, we added a relevance to prevent them from being relevant after rollup is installed.

Kindly let us know if you see any of the Fixlets are not reporting as expected. Thank you!

BaiYunfei,

Our enterprise is also reflecting relevant devices for .NET Framework patches going back to MS15-048. Is there something in the relevance we can look for to make sure we have the latest relevance?

Thank you!

Jim Donlin

Hi Jim,

Which .Net version do you have in those endpoints?

FYI, take MS15-101: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Windows Server 2008 R2 SP1 / Windows 7 SP1 / Windows Server 2008 SP2 / Windows Vista SP2 - .NET Framework 4.5/4.5.1/4.5.2 - KB3074550 (x64) as an example, according to http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=94338d3f-fab8-4bcd-9227-0be6508586e5 it is superseded by KB3205402, which is a Monthly Rollup. This means it contains non-security updates as well. In order to cater for the users who only applies security-only updates, they cannot be superseded.

If you are one of those users, it would rightfully be relevant.

Thank you Jason,

I’m aware of how things work.

BaiYunfei mentioned that there was relevance added. I was hoping to find out what exactly was added.

Our situation is different where we need to account for older patches. We are seeing relevant devices for some of these patches that do have later patches, which would fit the scenario that BaiYunfei mentions.

I may bring this up in a PMR.

Thanks again & Kind Regards,

Jim

Hi Jim,

It would be quite difficult to answer your question [quote=“jpdonlin, post:9, topic:20247”]
what exactly was added.
[/quote]

without going into too much technical detail, it’s a Relevance that would be evaluated as false if monthly rollup is installed. Let’s continue the conversation in the PMR then, thank you for reporting.