Why do I see BlueKeep micropatch applying/available even though Microsoft's fix for BlueKeep is installed?

Mitja Kolsek -

While our micropatches typically fix a vulnerability in the same executable module as the original vendor's fix (which means that our micropatches automatically stop applying when you install the official fix), this is not always the case.

A good example is our micropatch for BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep (CVE-2019-0708) in the OS kernel, while our micropatch is located in a user space DLL (see why) so we intercept and block the attack before it reaches the kernel. Microsoft's fix for BlueKeep doesn't modify the DLL we have micropatched, so 0patch continues to apply the BlueKeep micropatch to that DLL. There is no disadvantage to that, 0patch simply blocks the attack before it would have been blocked by Microsoft's fixed code in the kernel.

However, 0patch Console continues to show our micropatch as applying, or available for your computer if you are on 0patch FREE plan, which can be confusing and lead you to question whether Microsoft's update for BlueKeep was properly installed. 0patch does not inspect which Microsoft's updates you have installed (we want to minimize data collection) bu we're looking for a better way to remove or minimize this confusion.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.