This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

W7/2008R2 flagged Insecure: missing KB2978120 while superseding KBs are Installed

Summary

KB2978120 was released in 2014 and thereafter superseded by KB4041090 released in 2017. You have installed KB4041090 through WSUS/SCCM, but SVM still flags Windows 7 and Server 2008 R2 as Insecure. In some occasions, SVM will link the Insecure Windows OS to SA84667 and it will refer you to patch with KB4345590 and KB4344152. You will find out that KB4345590 is superseded few times until you reach to conclusion that KB4345590 is the latest patch required. After applying KB4345590, your systems are still flagged as Insecure and you wonder what caused this.

Symptoms

KB2978120 was released in 2014 and thereafter superseded by KB4041090 released in 2017. You have installed KB4041090 through WSUS/SCCM, but SVM still flags Windows 7 and Server 2008 R2 as Insecure.

In some occasions, SVM will link the Insecure Windows OS to SA84667 and it will refer you to patch with KB4345590 and KB4344152.
You will find out that KB4345590 is superseded few times until you reach to conclusion that KB4344152 is the latest patch required.
After applying KB4345590, your systems are still flagged as Insecure though. The cause is missing KB2978120.

Cause

While it is true that KB2978120 is superseded by KB4041090, Microsoft continues to maintain direct download link for this KB as well as it keeps the update in the Microsoft Update repository.
KB2978120 is uniquely applicable in some very specific scenarios involving very particular combination of Windows 7 OS with and without Service Pack 1 with particular version of .NET 3.5.1.

This update from Microsoft is a core security fix in .NET 3.5.1 and is very widely affecting every Windows 7 and Windows Server 2008 R2 machines.
The update should be applied separately even though superseding KBs have been applied.

In situation where SA84667 is linked to Windows 7 / 2008R2 OS scan results and shows the systems as Insecure even though you applied all recommended patches, you should also look to install KB2978120.
The vulnerabilities in SA84667 link up indirectly to the missing KB2978120 even though SVM recommended you to patch to KB4345590 and KB4344152.

 

Resolution

You should search for KB2978120 in your WSUS / System Center Configuration Manager update list.
If the update is not displayed in the list and not automatically discovered by WSUS/SCCM, you can import it manually using the below steps.

1. Go to Server Manager > Tools > Windows Server Update Services on the SUP server.
2. Click on Updates on the left-side panel.
3. On the right-most panel, click on 'Import Updates'
4. Microsoft Update popup will load. Search for KB2978120 in the search engine.
5. When it appears, click 'Add' and add the packages that were displayed.
6. Click 'View Basket' just below the Search field.
7. Tick the checkbox 'Import Directly into WSUS' and click the 'Import' button.
8. New popup will show - await until all update status turn green and show 'Done'.

These steps will load the KB2978120 in the update list of SUP, hence SCCM.
You can deploy the patch to hosts from there onward.

 

Workaround

Download the patch directly from Microsoft and deploy it to your hosts in your preferred way.

https://www.microsoft.com/en-us/download/details.aspx?id=44603

 

Additional Information

KB2978120 from 11/11/2014 initially addressed "TypeFilterLevel Vulnerability", covered in CVE-2014-4149 that enabled EOL impact.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4149

KB4041090 from 09/2017 covered in CVE-2017-8759 addressed extremely critical ".NET Framework Remote Code Execution Vulnerability".
https://nvd.nist.gov/vuln/detail/CVE-2017-8759

According to the below Microsoft source, KB4041090 does not entirely replace KB2978120. Not in all applicable scenarios.
https://support.microsoft.com/en-us/help/4041090/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-4-6-2

While KB4041090 is entirely issued for 7/2008R2 systems with SP1 installed, KB2978120 covers standalone Windows 7 and 2008 R2 versions.
Having different impact and different OS patch levels addressed by each, KB4041090 does not appear to cancel out automatically KB2978120 when certain appropriate conditions are met.

on ‎Feb 06, 2019 09:47 PM - edited on ‎Sep 19, 2019 06:43 PM by Level 7 Flexeran

Labels:
Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎Sep 19, 2019 06:43 PM
Updated by:
Level 7 Flexeran