Here's the scenario:
Our server admins are distributing the month "Security Only" updates for .NET Framework via WSUS yet our vulnerability scanner triggered with these two alerts:
- Security and Quality Rollup for .NET Framework (April 2017) [KB 4014559]
\Windows\Microsoft.NET\Framework\v4.0.30319\Wminet_utils.dll has not been patched.
Remote version : 4.0.30319.36387
Should be : 4.0.30319.36388
- Security and Quality Rollup for .NET Framework (May 2017) [KB 4019112]
\Windows\Microsoft.NET\Framework\v4.0.30319\system.dll has not been patched.
Remote version : 4.0.30319.36391
Should be : 4.0.30319.36392
We have since patched the servers using the "Security and Quality Rollup" patch verus the "Security Only" patch. My question is - why are updates to these files not include in the "Security Only" patches? My server
team is reluctant to distribute the "Security and Quality Rollup" patches as it is against MSFT's best practices as stated in the following link:
https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/
"The Security Only Update is recommended for production machines."
"The Security and Quality Rollup is recommended for consumer and developer machines."
Is anybody else seeing this? If so, can you provide me with some insight?
