Background: We are trying to understand and fix Sev 4&5 vulnerabilities reported by VM. One particular sample is a Windows Server 2012 R2 Standard 64 bit Edition. Qualys is reporting that this server have these vulnerability: "Microsoft Internet Explorer Security Update for September 2017" and "Microsoft Internet Explorer Security Update for February 2019"
Analysis: The list of missing KBs in the 'vendor reference' field for the Sep 2017 is already superseded by those listed for the Feb 2019. When we look at the missing KBs from the Feb 2019, most of the KBs are not applicable for the server in review.
- Does any of you observed this?
- What is the logic behind Qualys reporting these as vulnerability?
- How do we treat this scenario?
|IE Security Update for Month of||KBs Missing||Superseded by||Product Applicability|
|for September 2017||KB4038799||KB4487025||Windows Server 2012|
|for September 2017||KB4038788||KB4487020||Windows 10|
|for September 2017||KB4038781||KB4491101||Windows 10 LTSB|
|for September 2017||KB4038782||KB4487006||Windows server 2016|
|for September 2017||KB4038777||KB4486563||Windows Server 2008 R2|