KB4571723 superceeded (by KB4578013) and not required -but manually installs

JG 266 Reputation points
2020-09-24T13:11:24.697+00:00

For patching against CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability, the relevant update for security only updates is:

W2012R2 KB4571723 Security Only - However this is superceeded by KB4578013 which is an out of band update which includes two other CVE patches. It specifically doesn’t mention CVE-2020-1472, but superceeds KB4571723 therfore none of the R2servers will scan against KB4571723 so i assume that KB4571723 is no longer required if KB4578013 is available/ installed

When i manually installed KB4571723 on a server that has installed KB4578013, the patch is accepted and installed.
I assumed it would be deemed not required (as it is in the MEM console)

does that mean that

  1. KB4578013 doesnt include the patch for CVE-2020-1472 or
  2. if KB4571723 includes other updates not in KB4578013, then why are my servers showing it's not required.

28115-kb4578013.jpg

Basically what i'm wanting to know is if KB4578013 includes the patch for CVE-2020-1472 (because it doesnt say) and now starting to wonder about other superceeded updates that get replaced and whether they are still actually required (but on scan are deemed not to be)

Using v1906
Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,297 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
625 questions
{count} votes

Accepted answer
  1. Joy Qiao 4,766 Reputation points Microsoft Employee
    2020-09-30T07:19:14.067+00:00

    Hi @JG

    As the official article says, CVE-2020-1472 for Windows Server 2012 R2 need to install monthly roll up KB4571703 or security only KB4571723 for avoid Netlogon Elevation of Privilege Vulnerability.

    As KB4571703 was replaced by KB4578013, so KB4578013 must contains updated system files for avoid Netlogon Elevation of Privilege Vulnerability.
    However, KB4578013 was released on 8/18/2020 which is later than KB4571703 (8/10/2020) and KB4571723 (8/10/2020), and CVE-2020-1472 article released date ((8/11/2020), so that is why it was not recorded in this article. By the way, as Windows Update is cumulative, KB4571703 and KB4571723 are all replaced by the latest monthly rollup package KB4577066. So we just need to install the latest update package.
    Even if you install the latest update package, it will available to install previous replaced update manually, but windows update agent can't search for them and will not install them automatically. It is the default behavior.

    So there is no need to worry about these things, just keep your system latest.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


6 additional answers

Sort by: Most helpful
  1. Dave Patrick 329.1K Reputation points Microsoft MVP
    2020-09-24T14:50:24.34+00:00

    For 2012 R2 the Initial Deployment Phase comes with August 11, 2020—KB4571703 (Monthly Rollup) It will also be a part of any later cumulative updates listed here.
    https://support.microsoft.com/en-us/help/4009470

    The Enforcement Phase will come with the Feb 2021 cumulative update

    --please don't forget to Accept as answer if the reply is helpful--


  2. Dave Patrick 329.1K Reputation points Microsoft MVP
    2020-09-24T15:01:03.257+00:00

    Ok, for 2012 R2 the Initial Deployment Phase also comes with August 11, 2020—KB4571723 (Security-only update) It will also be a part of any later security-only updates listed here.
    https://support.microsoft.com/en-us/help/4009470

    The Enforcement Phase will come with the Feb 2021 cumulative and security-only update

    --please don't forget to Accept as answer if the reply is helpful--

    No comments

  3. JG 266 Reputation points
    2020-09-24T15:12:12.527+00:00

    Thanks but (to my understanding) monthly 'security only' updates are not cumulative so KB4571723 will not be part of later security only updates. I also think you are missing my point about the patch being superceeded (by KB4578013 although not included in the info) and KB4571723 no longer being required. Thanks

    No comments

  4. Dave Patrick 329.1K Reputation points Microsoft MVP
    2020-09-24T15:27:23.477+00:00

    According to this one it is part of the August 11, 2020—KB4571723 (Security-only update)
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

    KB4571723 has been superseded by KB4577066 (Package Details tab)
    https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=41841c9a-956c-4b83-a626-58a1848f515b

    --please don't forget to Accept as answer if the reply is helpful--

    No comments