Thanks, that’s correct. Updated content is available in Patches for Windows, version 2756. We are sorry for the inconvenience caused.
1 Like
Thank you, we are rocking now!! 
More information on the attack itself at X-Force Exchange
Since MS has the patches in Rollups, what the best way to determine if just this single patch is installed?
Looks like it was separated out in one of the links above.
Alexa,
We are using this to look for the original KB’s for MS17-010 AND all the KB’s that superseded them.
not exists keys whose (name of it contains "KB4012216" or name of it contains "KB4013429" or name of it contains "KB4012598" or name of it contains "KB4012606" or name of it contains "KB4012214" or name of it contains "KB4012217" or name of it contains "KB4012213" or name of it contains "KB4012212" or name of it contains "KB4012215" or name of it contains "KB4015217" or name of it contains "KB4019472" or name of it contains "KB4015221" or name of it contains "KB4019474" or name of it contains "KB4015551" or name of it contains "KB4019216" or name of it contains "KB4015549" or name of it contains "KB4019264" or name of it contains "KB4018466" or name of it contains "KB4015550" or name of it contains "KB4019215") of keys ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages";"HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Hotfix") of (x32 registries;x64 registries)
This should return any system that is not patched
3 Likes
It returns True on a Windows 10 Creator with all updates installed. I haven’t tried it on other systems.
2 Likes
Windows 10 was already not-vulnerable to WannaCry. I’m not sure how that’s reflected in the KB numbers.
Sounds like the relevance needs to simply exclude Win10 systems, since they will never show any of the KB Articles being installed.
1 Like
This relevance is a little cleaner. Credit @jgstew
not exists keys whose( exists ( (name of it), (“KB4012216”;“KB4013429”;“KB4012598”;“KB4012606”;“KB4012214”;“KB4012217”;“KB4012213”;“KB4012212”;“KB4012215”;“KB4015217”;“KB4019472”;“KB4015221”;“KB4019474”;“KB4015551”;“KB4019216”;“KB4015549”;“KB4019264”;“KB4018466”;“KB4015550”;“KB4019215”) ) whose(item 0 of it contains item 1 of it) ) of keys (“Windows\CurrentVersion\Uninstall”;“Windows\CurrentVersion\Component Based Servicing\Packages”;“WindowsNT\CurrentVersion\Hotfix”) of keys “HKLM\SOFTWARE\Microsoft” of (x32 registries;x64 registries)
2 Likes
Hmm Microsoft was all over the press over the weekend saying “Windows 10 is not affected”. But looking back at the original bulletin, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396 , they do list the SMB issue as Critical on Win10, listing KB4012606, KB4013198, or KB4013429 depending on the Win10 build number.
I don’t see the checks for 4013198 or 4013429 in the list above…
4013429 is the second one in the list. But you are right about 4013198. I also noticed 4013198 doesn’t return any content in the patches for windows site.
Yes, I’m also running into this. I still don’t have a definitive answer from MS about whether or not Win 10 is vulnerable.
I spent some time today creating Fixlets for the workarounds for disabling SMBv1 for those who cannot install the MS17-010 patch.
Source: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Disable Fixlets for various OS and methods:
https://www.bigfix.me/fixlet/details/24313
https://www.bigfix.me/fixlet/details/24316
https://www.bigfix.me/fixlet/details/24318
https://www.bigfix.me/fixlet/details/24320
https://www.bigfix.me/fixlet/details/24322
Created companion “enable” Fixlets for reversal
https://www.bigfix.me/fixlet/details/24315
https://www.bigfix.me/fixlet/details/24317
https://www.bigfix.me/fixlet/details/24319
https://www.bigfix.me/fixlet/details/24321
https://www.bigfix.me/fixlet/details/24323
Note that some people with Windows 2003 are getting an error when trying to log in with remote desktop into a Windows 2003 server after applying KB4013429 patch.
8 Likes
Thanks for the great work and the warnings! Anyone else seeing side-effects?
One of five domain controllers in my environment failed to start the DNS Server service automatically post-reboot, but the service started up fine manually. I imagine it was a timing issue while some of the post-reboot activities were running to complete the patch. This did not occur on my other 5 DCs, nor did I see any other issues (yet).
2 Likes
I have some related stuff from Feb:
1 Like
our security scanning tool is looking for the lsasrv.dll file version, I’m trying to build fixlet matching the same detection logic so we will not have conflicts in the reports. Since these are OS protected file, any alternate ways to read the file version on BigFix?
Win10
Q: version of file "C:\Windows\System32\lsasrv.dll"
E: Singular expression refers to nonexistent object.
Win7
Q: version of file "C:\Windows\System32\drivers\srv.sys"
E: Singular expression refers to nonexistent object.I suppose your Windows is 64-bit. BigFix agent is 32-bit app and reference to C:\Windows\System32 is redirected to C:\Windows\Syswow64.
Try native file or x64 file instead of file.
1 Like
thanks, the native file command worked.
1 Like
patch is installed on servers but servers are not rebooted. i would like to know where this patch installed and pending for reboot