Re: Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates

[Susan Bradley <sbradcpa () pacbell net>]

Be aware that any out of date Silverlight will be blocked as of 
November's IE release.
http://blogs.msdn.com/b/ie/archive/2014/10/14/october-2014-updates-and-a-preview-of-changes-to-out-of-date-activex-control-blocking.aspx
http://technet.microsoft.com/en-us/ie/dn818438.aspx
"This update notifies you when a Web page tries to load a Silverlight 
ActiveX control older than (but not including) Silverlight 5.1.30514.0."

It's been my experience that once the application has been installed 
that as long as you are opted into Microsoft update (not Windows update 
- which only offers up updates for the operating system), you do get 
security updates for that installation.

It's also been my experience that when a new revision of "fill in the 
blank" is released, I get it offered up again as the metadata of the 
patch has changed. Ergo why I am CONSTANTLY ignoring that dang 
Silverlight on the Servers I patch where I don't want it in the first 
place. [Yes I could do server core where this is a non issue, but I 
don't] I also did a test where I hid 2977218, installed the prior 
version and when next I MU'd, I got 2977218. Perhaps they have changed 
the behavior to where you will get updates offered up even if you 
previously hid the update in question.

Also be aware that in Windows 10 there appears to be a new patching 
cadence coming (details still to come) as well as defender is now 
installed - and patched - by default:

http://blogs.windows.com/business/2014/09/30/introducing-windows-10-for-business/
"Businesses will be able to opt-in to the fast-moving consumer pace, or 
lock-down mission critical environments to receive only security and 
critical updates to their systems. And businesses will have an 
in-between option for systems that aren’t mission critical, but need to 
keep pace with the latest innovations without disrupting the flow of 
business. And the choice isn’t one or the other for businesses; we 
expect that most will require a mixed approach where a number of 
scenarios can be accommodated.

Consumers, and opt-in businesses, will be able to take advantage of the 
latest updates as soon as they are available, delivered via Windows 
Update. Business customers can segment their own user groups, and choose 
the model and pace that works for them. They will have more choice in 
how they consume updates, whether through Windows Update or in a managed 
environment. And for all scenarios, security and critical updates will 
be delivered on a monthly basis."

On 11/23/2014 7:22 AM, Stefan Kanthak wrote:
> Hi @ll,
>
> after opting in to Microsoft Update additional (optional) software
> like Silverlight or Microsoft Security Essentials is offered when
> a user performs a "custom search" for updates.
>
> Initially the current versions of this additional software are
> offered as "optional updates" for download and installation.
> For Silverlight cf. <https://support.microsoft.com/kb/2977218>
>
> If the user but does not want to install this software and checks
> the box "[x] Do not show this update´again", the next time he
> performs a "custom search" for updates the previous version of this
> software is offered until ALL of them are hidden.
>
> In case of Silverlight or Microsoft Security Essentials ALL these
> previous versions are but vulnerable, outdated and superseded.
>
> When I reported this behaviour as security bug on July 11, 2012
> the MSRC answered:
>
> | The behavior you're seeing is desirable and expected behavior to
> | help customers maintain a good level of security even if they
> | decline the most recent security update.  When the most recent
> | update for a product or component is hidden (which indicates the
> | user doesn't want the update to be offered ever again), we'll
> | offer the next newest (previously superseded) item to help
> | maintain some level of security.  This behavior will continue
> | down the entire supersedence 'chain' in order to offer the 'next
> | best' update for any user that declines the newest (or the next
> | newest) update.
> |
> | This is one of the ways Microsoft and Windows Update attempt to
> | provide the 'next best' update even if the user declines the
> | most recent (best) update.
>
> I doubt that this behaviour is REALLY desirable for "optional
> updates" like Silverlight: Silverlight is not installed by default
> and therefore doesnt need any updates!
>
>
> If a user (or a 3rd party application) but installs one of these
> vulnerable, outdated and superseded versions after hiding them all
> Microsoft Update does NOT offer the necessary security updates,
> ALTHOUGH these updates have become (critical or important)
> "security updates" now and are no "optional updates" any more.
>
> So: user^Wadministrator BEWARE!
>
> regards
> Stefan Kanthak
>
>
> JFTR: unfortunately there dont exist registry entries like those
>        for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11
>        to generally block the offering/installation of Silverlight
>        or Microsoft Security Essentials per Windows Update.
>
>        Cf. <https://support.microsoft.com/kb/982320>,
>        <https://support.microsoft.com/kb/2721187>,
>        <https://support.microsoft.com/kb/928675> and
>        <https://technet.microsoft.com/library/dd365124.aspx>,
>        <https://support.microsoft.com/kb/2695147> and
>        <https://technet.microsoft.com/library/gg615600.aspx>,
>        <https://msdn.microsoft.com/library/jj898509.aspx> and
>        <https://technet.microsoft.com/library/dn146011.aspx>,
>        <https://technet.microsoft.com/library/dn449234.aspx>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/