{"id":22268,"date":"2023-06-20T10:30:05","date_gmt":"2023-06-20T18:30:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/06\/20\/news-15998\/"},"modified":"2023-06-20T10:30:05","modified_gmt":"2023-06-20T18:30:05","slug":"news-15998","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/06\/20\/news-15998\/","title":{"rendered":"With one June Patch Tuesday update, Microsoft falls short"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2023\/03\/windows-update-patch-by-clint-patterson-via-unsplash-100938641-small.jpg\"\/><\/p>\n<p>I\u2019ve tracked Microsoft\u2019s Windows patches for years and closely watched all of the changes the company has made. I remember when you had to install updates in a certain order \u2014 and watch for which one had to be installed first. I remember the arrival of automated patching using Software Update Services (later called Windows Server Update Services). I\u2019ve seen how we went from a system where each vulnerability was patched individually to what we now have: cumulative patching.<\/p>\n<p>The ideal patch is self-contained. Install, reboot, get back to your work. It causes no side effects. It protects the operating system. And you forget about it because it does what it\u2019s supposed to do.<\/p>\n<p>Many in the security industry remember specific security incidents and wax poetically about them. I tend to remember particular patches and their side effects. My favorite was a long ago update that triggered a blue screen of death. This particular update, MS10-015, fixed an elevation-of-privileges issue by making changes to kernel registers. The problem: in some places outside the US, users were running software that bypassed the need for a product licensing key \u2014 and it used exactly the same registers to hook into the Windows kernel.<\/p>\n<p>So, when that patch was installed, it immediately triggered a BSOD and the computer could not be recovered. To get to the root cause, Microsoft even went so far as to purchase a laptop from an affected customer. (The story is\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/events\/blue-hat-security-briefings-bluehat-security-briefings-fall-2010-sessions\/v10-2\" rel=\"noopener nofollow\" target=\"_blank\">recounted in this video<\/a> by Dustin Childs, head of the Microsoft Security Response Center.)<\/p>\n<p>Fast forward to <a href=\"https:\/\/www.computerworld.com\/article\/3699673\/junes-patch-tuesday-updates-focus-on-windows-office.html\">this month\u2019s Patch Tuesday release<\/a>. It included an update that doesn\u2019t fully protect the operating system until someone deploys <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/sysinfo\/registry-hives\" rel=\"noopener nofollow\" target=\"_blank\">registry hives<\/a> and keys \u2014 details that are almost buried in the KB article. To find it, you had to expand the Windows 10 21H2 section to get to a tiny link to an <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080\" rel=\"noopener nofollow\" target=\"_blank\">additional Knowledge Base article<\/a>. Mind you, 21H2 got its final update this month, so while Microsoft often showcases changes that affect both 21H2 and 22H2 in this manner on the same bulletin, it seems odd to bury this information so far down in the update history.<\/p>\n<p>The details about one of Microsoft&#8217;s June patches requiring digging around in an additional KB article.<\/p>\n<p>The guidance to take additional action is found in the \u201cto learn more\u201d section and it\u2019s not even clear we have to manually add the registry hive. Why wasn\u2019t this just part of the update? (The patch doesn\u2019t even include the registry keys in a disabled setting, users have to add the entire hive on their own.) Then, last Thursday, Microsoft noted that the manual steps might introduce a \u201cpotential breaking change\u201d but gave no clue as to what that change might affect or even what to look for.<\/p>\n<p>Microsoft added to the patch confusion with a follow-up note on June 15.<\/p>\n<p>The needed registry key is unique to each version of Windows 10 and 11 as well as Server 2022. Now, there is some good news here. The vulnerability is described this way:<\/p>\n<p>An authenticated user (attacker) could cause an information disclosure vulnerability in Windows Kernel. This vulnerability does not require administrator or other elevated privileges.<\/p>\n<p>The attacker who successfully exploits this vulnerability could view heap memory from a privileged process that is running on the server.<\/p>\n<p>Successful exploitation of this vulnerability requires an attacker to coordinate the attack with another privileged process that is run by another user in the system.<\/p>\n<p>Translated, this would be an attacker going after a high-value target, not consumers or even many businesses. And it would not be a trivial attack to pull off, given that it would need to be a blended attack that takes extra time and effort. That still doesn\u2019t minimize the concerns I have about how badly the communication has been on this particular release \u2014 especially the lack of information about what side effects could occur. I manually added the registry hive to a Windows 10 22H2 machine in the office and a Windows 11 22H2 PC at home and I\u2019ve see no direct impact.<\/p>\n<p>So, let\u2019s recap. We have a vulnerability where some users, <em>but not all<\/em>, need to take additional action. The registry settings must be done manually, while paying close attention to the unique keys needed for each OS. If you\u2019re an IT admin, consider using <a href=\"https:\/\/ajf8729.com\/post\/cve-2023-32019-kb5028407-registry-settings\/\" rel=\"noopener nofollow\" target=\"_blank\">PowerShell<\/a> or some other technique to deploy these keys. That said, unless your business is at high risk, I would skip doing this. Until Microsoft provides more information about any side effects, use your time and energy on other projects that will better protect your network, or that will validate other patch implementations. \u00a0There are many other security projects you would be better served doing.<\/p>\n<p>The same advice holds true if you\u2019re a small business user, or manage a PC at home: I don\u2019t see any need to add these registry keys now.<\/p>\n<p>Finally, Microsoft needs to do better. Your communication about this release has been abysmal, and communication is about as important to security as patching. You\u2019ve blown this one; it feels like we\u2019ve gone back about 20 years in terms of \u00a0security communication. Let\u2019s hope this is not a trend going forward.<\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3700189\/with-one-june-patch-tuesday-update-microsoft-falls-short.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2023\/03\/windows-update-patch-by-clint-patterson-via-unsplash-100938641-small.jpg\"\/><\/p>\n<article>\n<section class=\"page\">\n<p>I\u2019ve tracked Microsoft\u2019s Windows patches for years and closely watched all of the changes the company has made. I remember when you had to install updates in a certain order \u2014 and watch for which one had to be installed first. I remember the arrival of automated patching using Software Update Services (later called Windows Server Update Services). I\u2019ve seen how we went from a system where each vulnerability was patched individually to what we now have: cumulative patching.<\/p>\n<p>The ideal patch is self-contained. Install, reboot, get back to your work. It causes no side effects. It protects the operating system. And you forget about it because it does what it\u2019s supposed to do.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3700189\/with-one-june-patch-tuesday-update-microsoft-falls-short.html#jump\">To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,24580,10525],"class_list":["post-22268","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-small-and-medium-business","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22268"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22268\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22268"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}