When Windows updating goes unhealthy — the case of the problematic patch
To replace or to not replace, for Windows customers that’s the month-to-month query. And with final month’s KB5012170, you higher get the reply proper.
Microsoft / IDG
Every month, Windows customers and directors obtain updates from Microsoft on Patch Tuesday (or Wednesday, relying on the place you are positioned). And every month, most customers all apply the identical updates.
But ought to we?
Case in level: KB5012170, a patch launched on Aug. 9 that both causes no points — or triggers Bitlocker get better key requests or gained’t set up in any respect, demanding that you just go discover a firmware replace. This patch, referred to as the Security replace for Secure Boot DBX, applies to just about all supported Windows releases. Specifically, it impacts Windows Server 2012; Windows 8.1 and Windows Server 2012 R2; Windows 10, model 1507; Windows 10, model 1607 and Windows Server 2016; Windows 10, model 1809 and Windows Server 2019; Windows 10, variations 20H2, 21H1, and 21H2; Windows Server 2022; Windows 11, model 21H2 (unique launch), and Azure Stack HCI, model 1809, all the best way to Azure Stack Data Box, model 1809 (ASDB).
Whew.
But this is the factor: not all machines share the identical threat components. This particular replace offers with a safety threat the place “a security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software. This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.”
As famous within the Microsoft steerage: “To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks, thereby allowing arbitrary executables and drivers to be loaded onto the target device.”
I don’t suggest ignoring or blocking updates except the chance of negative effects is bigger than the patch itself. In this particular case, the attacker has to have considered one of two issues to happen.
I’ve but to be satisfied that for many residence customers the chance to those machines warrants the set up of this patch. Too typically, we’ve seen negative effects which can be simply as impactful as the chance of assault itself. As famous within the Eclypsium weblog: “In April 2019, a vulnerability in how GRUB2 was used by the Kaspersky Rescue Disk was publicly disclosed. In February 2020, more than six months after a fixed version had been released, Microsoft pushed an update to revoke the vulnerable bootloader across all Windows systems by updating the UEFI revocation list (dbx) to block the known-vulnerable Kaspersky bootloader. Unfortunately, this resulted in systems from multiple vendors encountering unexpected errors, including bricked devices, and the update was removed from the update servers.”
So when KB5012170 was launched to sure machines, it was provided to all machines — together with digital ones (even these utilizing Legacy BIOS settings). While the overwhelming majority put in the replace simply high quality, there have been some machines explicitly blocked, although together with HP Elite collection with out DBXEnabled, FUJITSU FJNBB38 and Mac Boot Camp.. KB5012170 will get
The three boot loaders which can be weak embody CryptoPro Secure Disk, one other is a testing software and disk wiper referred to as Eurosoft UK, the final, Reboot Restore Rx Pro, is used to revert modifications in a PC after a reboot in a classroom, kiosk PCs, resort visitor PCs, and so forth.. Even in the event you aren’t utilizing these three weak loaders, you’ll get this “BIOS replace.”
But the negative effects will be disastrous. Just ask Mike Terrill, who writes Mike’s Tech Blog, who defined just lately how the unhealthy facet of patching performed out for him. Most possible, he had a pc like sure Dells or HP fashions that arrange Bitlocker on their C: drive after which did not immediate them to avoid wasting the restoration key to a backup location the individual is aware of about. (Normally, when Bitlocker is ready up with both an Azure lively listing account or a Microsoft account, the Bitlocker restoration secret is saved and you’ll log in and discover it. But sure machines activate drive encryption and don’t again up the important thing; you reboot your system after putting in KB5012170 and it asks for a restoration password you don’t have.)
Some customers have reported that following these steps allowed them besides efficiently into the working system:
All of that is designed to focus on why you shouldn’t assign the identical degree of threat to each replace. In this instance, putting in the replace and triggering the request for a bootlocker restoration password you don’t know causes as a lot harm, if no more, than the difficulty being fixerd.
Microsoft has to acknowledge and supply extra assist for updates that set off negative effects and warn customers. It’s not sufficient to doc the issues in a Known Issues part — customers must be assured patches gained’t harm their methods. Users on standalone machines needs to be prompted to enter a Bitlocker restoration key earlier than these form of updates to make sure they’ve the important thing. If they can not achieve this, the replace ought to immediate them by way of the method of both disabling Bitlocker or resetting the Bitlocker restoration key.
Patches shouldn’t harm. This isn’t the primary time {that a} safe boot patch has triggered further ache and harm, nevertheless it needs to be the final.