Defender Notification and CVE-2026-28387
Posted by y0da822@reddit | sysadmin | View on Reddit | 23 comments
Anyone get a notification from Defender that openssl needs to be upgraded? Its a crazy one because it shows like every app (even apps fully up to date) that need openssl updated. How does one even start to approch this?
Vulnerability Name CVE-2026-28387
Vulnerability Name CVE-2026-31789
Holiday_Process_5452@reddit
Azure Monitor Agent (Windows) is identified by Defender in some of the disk paths, Microsoft advised (through a ticket) they will need to take a look:
"c:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\\monitoring\agent\extensions\metricsextension\libcrypto-3-x64.dll"
"c:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\\monitoring\agent\extensions\metricsextension\libssl-3-x64.dll"
"c:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\\monitoring\agent\libcrypto-3-x64.dll"
y0da822@reddit (OP)
lol
scratchduffer@reddit
I'm still showing openssl in some lenovo drivers. There is a post from a supposed lenovo rep stating they won't be fixing it as the part of openssl that has the vulnerability isn't in their code. I think the MS vulnerability detection isnt quite thorough unfortunately.
y0da822@reddit (OP)
Yep - I am sure that is the case also on a lot of software.
Helpjuice@reddit
Do you have software that uses openssl as in do you have any of these dll's and exes on your systems anywhere to include embedded in binaries and powershell scripts?
First determine impact to see if you are actually impacted:
I would recommend creating an inventory script in PowerShell to pull the metrics on where you are impacted.
Once you have done that pull the file versions and product information, then check what is currently loaded in running processes, then check the openssl versions and map the dll's back to the owning software. Take into account the apps that have openssl statically compiled into the binaries (you might be able to use an SBOM to get this information from the vendor).
Hopefully your EDR and vulnerability management systems can help you quantify and prioritize what to hit first based on actual impact versus a rush to update everything at the same time type situation.
Also note just because the app is fully up to date does not mean the embedded or shared openssl is updated which is the problem the defender notifications are trying to get you to address due to the problems having these unpatched enable on your systems.
Prioritize on exposure and please do not panic.
SolidKnight@reddit
In MDE, it will tell you the exact path to the file it detected and the version of that file. It will be broken down by device, or you can all the detections across the board.
There are a ton of outdated OpenSSL libraries floating around Windows and even more in apps. Microsoft hasn't addressed some of the ones in their own OS for years.
y0da822@reddit (OP)
Yep - ok - I am not alone with this. Crazy. When I saw it I was like wow - its every app - event MS apps.
PTCruiserGT@reddit
Definitely not alone.
We’ve used this as an opportunity to remove apps (paint/photos/etc) we don’t really need, thereby also reducing our attack surface.
y0da822@reddit (OP)
I’m definitely not worried. We have all kinds of different security software running. There’s so many applications that have those DLLs defender actually put it in a list for you and you can see. It’s even things like Microsoft Office and even some applications that I’ve just updated last week. This is more I think just a broad announcement that hey this is coming to an end and yes, the software vendor will eventually put on an update that will fix the problem. But the way they put it in defender. It’s like the red lights are going off.
bakonpie@reddit
you don't. the app developer releases an update which has the fixed versions of the OpenSSL library. you then install that update. until then, inform management and have them accept the risk. then track the releases of the affected software.
y0da822@reddit (OP)
That’s what I figured. It doesn’t make sense because it’s almost every application has that DLL in it. Even my most up-to-date applications like something that I just updated last week.
frac6969@reddit
Once in a while the number of exposed devices dips and I know some applications finally got updated. But it doesn’t stay that way for long before more vulns are discovered.
y0da822@reddit (OP)
Yep!
bakonpie@reddit
software developers suck and persistently leverage old libraries which almost never get updated until they are in a news headline about a threat actor exploiting the software. OpenSSL is just common enough that vulnerability management solutions have to flag it. when you have some spare time, dive into all the out-of-date 3rd party libraries included in the software used by your organization and you'll see how widespread this problem is.
y0da822@reddit (OP)
Yep. For sure. It’s just the way defender presented this that it was just weird.
Minimum-Albatross906@reddit
Yeah, welcome to the magical world of patching, where us sysadmins understand how things work, and managers are seeing everything through $magic_security_metric_from_vendor and want that number to just go down.
Systems are complex, and injecting random ass DLLs into program folders to try and patch out a vulnerability isn't the right way most of the time. Not only that, but you're apt to bork the system, and if people can't get their work done, you're really fucked.
Qualys does the same thing for us occasionally. It will find DLLs as dependencies for software, which can make patching confusing.
My advice is to have a regular patching cadence, and part of that will be documentation.
customkernelkyle@reddit
https://static.klipy.com/ii/d7aec6f6f171607374b2065c836f92f4/91/0d/TiPWMlGn.gif
and then they'll complain when their app gets pwned because they shipped with openssl 1.1.1
DiamondLatter1842@reddit
Defender can get kind of noisy with these CVE alerts, especially when it lists every app on the system, then decided to try this Atera I ran a quick vulnerability scan, filtered out the false alarms, and then used its patch management to roll out the openssl update where it was actually needed. Saved me a ton of headaches.
SalamanderFew1357@reddit
Defender can get kind of noisy with these CVE alerts, especially when it lists every app on the system, then decided to try this atera I ran a quick vulnerability scan, filtered out the false alarms, and then used its patch management to roll out the openssl update where it was actually needed. Saved me a ton of headaches.
jake_that_dude@reddit
you usually start by mapping the DLL path, not the app name.
Get-ChildItem C:\ -Filter libssl*.dll -Recurseorwhere.exe openssl.exe, then check the file version and which vendor shipped it. defender is flagging the embedded copy, so the fix is the app update, not a blanket openssl install. if it keeps surfacing across lots of apps, I’d pull the common software list and see which vendor bundle is dragging the same OpenSSL build everywhere.Pub1ius@reddit
All we've been able to do is wait on software developers to update their shit. I mean MS Paint and Windows Photo Viewer uses outdated OpenSSL versions for Christ's sake.
Zoom, Adobe, lots of others out there guilty of the same.
y0da822@reddit (OP)
Haha. Exactly my point and why I posted this.
jimmothyhendrix@reddit
Commenting to follow