KB4345420 is missing supersedence info in CVEs.zip

[lkucera]

there is no info about above mentioned KB being superseded, thus creating false findings where this KB is not present on system. The KB is superseded by all later monthly cumulative rollups. (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4345420)

[AvrumFeldman]

Have the same issue with KB4345421, the program is reporting it's missing even while I have KB4487017 installed that supersedes KB4345421.

[bitsadmin]

Thanks for the reports! Can one of you validate the information provided by the MSRC API? In my experience on the Microsoft Catalog a certain supersedes is present, but when checking in the MSRC API, this supersedes is not listed.

See the following links for more information on how to install and use the MSRC API:

• https://github.com/Microsoft/MSRC-Microsoft-Security-Updates-API
• https://github.com/bitsadmin/wesng/blob/master/collector/collect_msrc.ps1

[AvrumFeldman]

I will try to figure out how to use this API later (I'm quite busy now). But just a general note, in windows 10 every cumulative update contains all the previous updates, so you should be able to simply check if the build number is greater then the build number from the KB required and know from that, that those vulnerabilities are patched. For example KB4345421 is windows build 17134.167 while KB4487017 is windows build 17134.590, I hope you see whee i'm going.

[bitsadmin]

I see, thanks for the hint. I hadn't looked into Windows build number very deep. So far I only depended on the supersedes attribute, however that doesn't seem to be reliable in all cases. Going to look into it to improve accuracy of the results!

[lkucera]

the CVEs.zip looks very much like "Bulletin Search" (https://www.microsoft.com/en-us/download/details.aspx?id=36982) that Microsoft stopped to release about two years ago, I used it often to track down patches, over years we indeed found out that supersedence information has to be taken with grain of salt, as data in Bulletin Search and Catalog are not always same and reality may be something different altogether

[bitsadmin]

I just added the Report false positives page with instructions on reporting false positives. Please create a new issue using the steps described there.