While Microsoft's documentation doesn't clarify whether WSUS performs digital signature or checksum counts prior...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
to installation, its Baseline Security Analyzer (MBSA) examines file versions and checksums to verify the present files match with those released by Microsoft. If any of these files do not pass the test, MBSA will identify that the software update is not installed, or will flag the software update with a warning. It's important to note that this process can only be done after the patch has been installed. Interestingly enough, this product is licensed from Shavlik Technologies LLC, the makers of HFNetChkPro.
HFNetChkPro is a patch management program that validates file versions and checksums prior to deploying both Microsoft and non-Microsoft security patches. Its Basic Edition is designed for smaller organizations that don't require advanced patch management functionality like scheduled scans and email support.
PatchQuest is another automated patch management program that can distribute and manage security patches, hotfixes and updates across heterogeneous networks comprising Windows and Linux systems. It is a Web-based service that downloads patches, assesses patch authenticity and tests for functional correctness. The tool scans your network, identifies missing patches and software updates, distributes patches to vulnerable systems and keeps your systems up-to-date and free from vulnerabilities.
Should you receive a warning message that questions a patch's validity, you should fully investigate the digital certificate or checksum. Why you ask? In 2001, VeriSign Inc. issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates was "Microsoft Corporation," allowing the individual to sign executable content using keys that supposedly belonged to Microsoft. Thankfully, trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. Therefore, if a similar event occurred, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name "Microsoft Corporation." The danger, of course, is that even a security-conscious user might agree to trust the bogus certificates and execute the content.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.