AnsweredAssumed Answered

VM Reporting missing KBs not applicable for the OS

Question asked by Olie Altamira on Feb 27, 2019
Latest reply on Feb 27, 2019 by derekv

Background: We are trying to understand and fix Sev 4&5 vulnerabilities reported by VM. One particular sample is a Windows Server 2012 R2 Standard 64 bit Edition. Qualys is reporting that this server have these vulnerability: "Microsoft Internet Explorer Security Update for September 2017" and "Microsoft Internet Explorer Security Update for February 2019"


Analysis: The list of missing KBs in the 'vendor reference' field for the Sep 2017 is already superseded by those listed for the Feb 2019. When we look at the missing KBs from the Feb 2019, most of the KBs are not applicable for the server in review.



  1. Does any of you observed this?
  2. What is the logic behind Qualys reporting these as vulnerability?
  3. How do we treat this scenario?



IE Security Update for Month ofKBs MissingSuperseded byProduct Applicability
for September 2017KB4038799KB4487025Windows Server 2012
for September 2017KB4038788KB4487020Windows 10
for September 2017KB4038781KB4491101Windows 10 LTSB
for September 2017KB4038782KB4487006Windows server 2016
for September 2017KB4038777KB4486563Windows Server 2008 R2