M365 Admin Defender Vulnerability Management Recommendations - Openssl !!!!!!!!!!!!

[oikjn]

Is there any sane way to deal with the security recommendation from M365 Defender to patch Openssl on client devices? It is by far the largest negative score impacting "issue" I have and the OCD side of myself just wants to clear as much of it up as possible.

Looking around, it seems like the answer is always "developer, update your program and send a program patch", but some of these hand around for ages...

(1) on programs that aren't updated, can I try replacing the "bad" dll files with a patched one of the same basic generation (like when it says 3.1.1, I can replace it with maybe 3.1.6?)

(2) half the reports are things like cwindows\system32\driverstore\filerepository\iclsclient.inf_amd64_fc84dfa25a6 or cprogram files\windowsapps\microsoft.windows.photos_2024.11100.16009.0_x64 or cprogram files\microsoft onedrive\24.226.1110.0004\libcrypto-3-arm64.dll which I assume should have been updated with windows updates... do I just ignore these things? The devices all report backing no missing KBs and should be fully patched.

 

[continuum]

For #2, if you purge the local repository complaining, does that help? Or is that not doable? I'm more thinking along the lines you're basically clearing the Windows Update cache but I could be waaaaaaaaay off base here.

 

[oikjn]

the program files\windowsapps\ folder seems to be a special hidden OS folder that even admin doesn't have regular access to. I guess I can go into it, but I'm not going to mess with it at the moment and just ignore those items. what about all the other ones? Is this something everyone just ignores? The general advice is "update your program" like you are the developer for the program and have control of that!

 

[continuum]

Okay my experience here is mostly on the client end, not server, so this example is from Windows 11:

But was thinking of the Disk Cleanup tool that's built-in to potentially clean up some of these files?

 

[oikjn]

tried... nope. I think some of those are pre-packaged installers, but ignoring those sources, is there anything that can/should be done for other non-patched programs that don't have patches? Like is it very risky to try replacing the dll with a dll that is up another layer in the patch squence assuming you don't jump major verions? Like going into a program folder of an old program and replacing the dlls dated from 3.0.6 with 3.0.15?

 

[continuum]

You can try it, I haven't messed with that much in Windows. My experience doing so in Linux is best described as uneven.