As a general rule, when we write a micropatch, we do it for the latest vulnerable version of the product. In case of 0-days (vulnerabilities for which there is no vendor patch), this means the latest product version, otherwise it means the version prior to that - if we assess the risk due to users not applying or delaying application of the vendor patch is high enough.
With some products, things get a bit more complicated. For instance, a vulnerability in a Windows service could affect everything from Windows 7 to Windows 10 (various versions from 1709 to 1903), and from Windows Server 2008 to 2019, and on top of that both 32-bit and 64-bit versions. While some of these share the same affected binary module (the DLL or EXE we micropatch) this means a non-trivial number of vulnerable modules we need to port a micropatch to. In such cases we assign higher priority to product versions that are more represented among our user base, and to versions used by customers with support contract. For the latter, we may also back-port a micropatch to a not-fully-patched Windows version if a customer for some reason has to use that version.
0 Comments