[Solved] W10 20H2 not detected and W10 reported as insecure

GregAlexandre · 1 Nov 2020, 10:26

Hi,

I updated to W10 20H2 (fr) fully patched and W10 is reported as insecure.

Hope this helps.
Regard.
PS: please note that french date format is; dd/mm/aaaa

Tom · 1 Nov 2020, 15:10

We will soon review the title of Windows 10, it does appears that Microsoft has changed the naming / versioning of the semi-annual releases.

Try to expand the Windows 10 entry, there should be a list of one or more KBs that are missing and which are security related.

OLLI_S · 1 Nov 2020, 21:50

Same here:

There are no Windows Updates available, but it is marked as "Insecure".

Also Win 10 tells me that there are no updates available:

Tom · 2 Nov 2020, 08:36

Indeed, and it is Insecure.

But the update is not yet available. Windows is vulnerable to CVE-2020-17087.

This is a privilege escalation vulnerability which was exploited together with the recent 0-day in Google Chrome:
https://www.theregister.com/2020/10/30/windows_kernel_zeroday/

Right now it is even more important to keep all other software up-to-date, since this vulnerability can (and was) used to break out of the sandbox protection, which is used by some applications (including Chrome) to make it harder to fully compromise a system via a remote exploit.

GregAlexandre · 2 Nov 2020, 19:42

@Tom : Any product is de facto insecure till next security patch with known or unknown vulnerabilities. So any product is always more or less insecure.

So at this time W10 with its known vulnerabilities is as secure as standard user can have it when windows update writes: you are up-to-date (fr to en translation).

To have it reported as "insecure" only lead me to time lost to look for what I missed!

May I suggest to have another status if you want to report "insecure but with no solution" status. Orange (yellow) "insecure"?

Regards.

OLLI_S · 2 Nov 2020, 20:15

Inhink @Tom is right.
There is an vulnerabily in Windows 10 where up to now there is no patch available.
So Windows 10 is up-to-date but it is also insecure.

The problem is, that there is no explanation.
No Threat Level and also no CVE information.
Both suggestions exist over 2 years...

GregAlexandre · 2 Nov 2020, 23:01

@OLLI_S : Risk or at least vulnerability level is required for pro usage.

For standard user, with no idea of what is risk assessment red/yellow/green status is more useful. I think that most people in France do not know what means CVE and if they can have the related description and CVSS will be unable to assess their risks and chose what to do but fix when patch is available.

GregAlexandre · 16 Jan 2021, 11:40

@Tom : both fixed
@OLLI_S : can you please move it to fixed issue?

OLLI_S · 17 Feb 2021, 20:12

OK, then I mark this issue as solved.