Updates: CVE vs KB

Topic

New Reply

In DEFCON letter today, Susan mentioned the urgency of getting the CVE-2022-21882

update. I’m probably showing my ignorance, but in looking at my “Update History” list, the updates are identified as KBxxxxxxx, not CVE. So how do tell if I have this update or not? Am I looking in the wrong place in History?

Reply | Quote

Replies

No, you are looking in the right place in your Windows. Just like you said, Windows updates are identified as their KBxxxxxxx (Knowledge Base number), not by the CVE identifier of vulnerability they patch (and there are usually many CVEs patched in one update).

To determine whether you do have CVE-2022-21882 patched on your system or not, you should go to its description on MSRC portal and check whether your product is listed in “Security Updates” section. If it’s listed, you should find KB number of appropriate update in “Article” column.

For example, for “Windows 10 Version 21H2” it is KB5009543.

1 user thanked author for this post.

windbg

Reply | Quote

Thank you!  I guess I’m really out of my depth here as a home user. When Susan warns me to make sure I have a certain update, I look for that number in my update list and would never have known about the MSRC portal, etc, etc, and trying to find a correspondency.

Maybe we need a DEFCON for the less-educated!  Thank you again for your help.

Reply | Quote

Updates are cumulative thus you get all of the patches in one clump these days.  But not all vulnerabilities are as concerning as others if you don’t patch. I’ve seen many folks say “Oh I’ll skip over January” but that’s one vulnerability that’s been in the tech news.

If you install January updates you are patched for the known CVEs or vulnerabilities that we know of.  If you don’t install the January updates, there’s one that is concerning and has been seen used in attacks.

Does that help?

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Yes, it does.  Thank you!  I’ve followed your advice to advance my updates till the 3rd week or so each month, and I guess that has done the job.  I appreciate your DEFCON reminders each month to set that delay again, because Mr Windows in the Home version won’t.

Now I just hope he doesn’t force Win 11 on me. I also posted about that earlier today and was directed to another post where you commented.  I’m always a little nervous using regedit, so haven’t done that tweak yet.  Again, thanks for all of your contributions to Ask Woody.

David

 

Reply | Quote

See Topic: 6000005 Registry keys and Group policy info to keep Windows 10 from going to 11 @ AskWoody

--Joe

Reply | Quote

norbus67 wrote:

I’m probably showing my ignorance, but in looking at my “Update History” list, the updates are identified as KBxxxxxxx, not CVE.

It really is a shame that the average computer user has to be a computer/computer software genius just to safely do updates on Win 10.  You are not ignorant, Msft. has been and continues to make things very hard for the average computer user.  Thank goodness for this site, it has helped me a lot in the past 15 years or so!

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Perhaps worth mentioning is CVEs are the vulnerability definitions, KBs are the Microsoft knowledge base descriptions (usually in a more end user wording) of a problem, and the solution for the problem described, once resolved, by convention extending to a part of the solution patch name should one be required.

I believe CVEs are generated by Mitre (https://cve.mitre.org/) based on information drawn from many sources (that is to say, they don’t just do Microsoft issues), and they collate the status of the problems and their solutions. Probably more useful should you want to see what’s happening in an overall view is the NVD dashboard as this shows latest Windows and third party problems. Unfortunately the way security issues are progressing now you’d need to check on a very regular basis.

https://nvd.nist.gov/general/nvd-dashboard

You can search for specific issues using https://nvd.nist.gov/search

In discussing it’s pertinent to mention the obvious, that the details of a security issue are not released in a form they could be leveraged until a solution for the issue has been available for a while…

 

Reply | Quote

Thanks to all for educating me!

Reply | Quote