We often fail to match a windows OS in our database to any product in an MSRC bulletin, leading to us not checking for vulnerabilities and logging a noisy error.
More info
When detecting Windows vulnerabilities, we:
List the operating systems in use for the instance (e.g. Microsoft Windows 11 Pro 22H2, Microsoft Windows Server 2022 Datacenter 21H2)
Check that at least one product in the bulletin matches the OS we're looking at, by matching the "Display Version" (e.g. 22H2) to the product name (e.g. "Windows 11 Version 22H2 for ARM64-based Systems")
Take the first product that matches, and check if any vulnerabilities for that product apply to any hosts.
The issue is that the products listed in the MSRC bulletins don't always include a display version. For example, the Windows Server 2022 bulletin lists the products as:
"11923": "Windows Server 2022",
"11924": "Windows Server 2022 (Server Core installation)",
"12244": "Windows Server 2022, 23H2 Edition (Server Core installation)"
and on Dogfood we have an OS listed as "Microsoft Windows Server 2022 Datacenter 21H2", but there's nothing to match the 21H2 against, so we don't get a product match. This means we don't check for vulnerabilities, and we also log an error (we see thousands of these errors a day).
Proposal
We can fix this by keeping a map of bulletin product names -> display versions and updating the bulletins on ingest. For example, by rewriting "Windows Server 2022" to "Windows Server 2022 Version 21H2". This is a list we'd have to keep updated with new Windows releases, but at least the current "no product matches" error can become a canary for that issue rather than just squawking all the time.
💥 Actual behavior
We often fail to match a windows OS in our database to any product in an MSRC bulletin, leading to us not checking for vulnerabilities and logging a noisy error.
More info
When detecting Windows vulnerabilities, we:
The issue is that the products listed in the MSRC bulletins don't always include a display version. For example, the Windows Server 2022 bulletin lists the products as:
and on Dogfood we have an OS listed as "Microsoft Windows Server 2022 Datacenter 21H2", but there's nothing to match the 21H2 against, so we don't get a product match. This means we don't check for vulnerabilities, and we also log an error (we see thousands of these errors a day).
Proposal
We can fix this by keeping a map of bulletin product names -> display versions and updating the bulletins on ingest. For example, by rewriting "Windows Server 2022" to "Windows Server 2022 Version 21H2". This is a list we'd have to keep updated with new Windows releases, but at least the current "no product matches" error can become a canary for that issue rather than just squawking all the time.
cc @mostlikelee