Why does 0patch Console show "Patchable Modules" and "Relevant Patches", but no patches are applied?

Mitja Kolsek -

When 0patch Agent is installed, and whenever it downloads new patches, it scans local drives to find "Patchable Modules", i.e., the exact executable files for which one or more patches were written. The result of this scan is reflected on "Patchable Modules" and "Relevant Patches" lists.

However, because 0patch does all the patching in memory only, a patchable module has to get loaded in memory of some running process in order for its patches to get applied. It can therefore happen that 0patch Console shows Relevant Patches on your computer, but no patches have been applied (yet). Scanning for patchable modules is only done so that the user (or the computer's administrator) is aware which patches are there waiting to be applied as needed, even before they are actually ever applied.

To give an example, with our CVE_2022-30190 ("Follina") patches, 0patch scanner finds the vulnerable executable sdiagnhost.exe on the computer, then adds it to the list of Patchable Modules, and adds the associated patch to the Relevant Patches list. But the patch only gets applied when sdiagnhost.exe actually gets executed, and this may not happen any time soon, unless you launch the Windows Diagnostic Tool yourself, or if you open a malicious document trying to exploit this vulnerability. In both cases, our patch will get applied - in memory of the sdiagnhost.exe process - before any code would be executed, and remove the vulnerability. It is only then that our "applied" counter for this patch gets increased.

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Mike

    This seems kind'a strange. For users who want a dashboard which shows them which patches are *actually applied, that dashboard does not exist.

Please sign in to leave a comment.