Windows 10: Microsoft: enabling KB5028407's security patch could break something, but we won't tell you...

Microsoft released security patches for all supported versions of Windows on the June 2023 Patch Tuesday. One of the patches addresses a security issue in Windows Kernel. While Microsoft did ship the security patch as part of the cumulative update on Tuesday, it did not enable the particular mitigation.

Microsoft explains on a support page that an attacker does not need elevation or administrative privileges to run the attack, and that it could allow the attacker to "view heap memory from a privileged process that is running on the server".

Windows devices remain vulnerable to attacks targeting the issue if the patch is not enabled in the Registry by a system administrator. The issue affects all supported Windows 10 and 11 operating systems as well as Windows Server 2022.

Microsoft did not reveal why it decided against enabling the patch by default, as it would protect all devices against the potential attack.

We asked users to be cautious and either create a system backup before enabling the patch manually or wait some days before doing so. Microsoft must have a reason for releasing the patch in disabled state.

Microsoft has now added an addendum to the patch notes. System administrators who had hoped that Microsoft would provide a reason for not enabling the security mitigation by default will be disappointed though, as the company is still tight lipped about potential issues that may arise from enabling it.

Microsoft writes: "The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it. In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible."

In other words: enabling the mitigation may break something, but Microsoft won't tell its customers what it could be. Administrators need to find out by themselves therefore, which is a problem, as Microsoft does not give any hints what to look for. Administrators may spend hours evaluating systems to find potential breakage.

Microsoft plans to enable the patch by default in the future, but it has not provided a timeframe for doing so.

The original recommendation still stands because of Microsoft's refusal to provide vital information to system administrators. Create backups before enabling the Registry changes or wait until additional information becomes available.

Now you: have you enabled the Registry change on your device(s)?

Thank you for being a Ghacks reader. The post Microsoft: enabling KB5028407's security patch could break something, but we won't tell you what appeared first on gHacks Technology News.

read more...

 

Huge Flaw in IE: Microsoft scrambles to make patch

Today, Security firm Secunia announced that there was a security hole in Microsoft's Internet Explorer. This hole could allow hackers to gain control of users' computers and turn them into zombies that send out spam, or corrupt thier hard drive. Microsoft is quickly trying to make a patch for this issue, but until then they are suggesting that people use Firefox. Yes, you heard right. They are suggesting people to use Firefox.

Source: Technology Review

 

Reason to delay security patches

IT departments are in a very difficult position when it comes to security updates and they have responsibilities that are at odds with each other. On one hand, their entire job is to provide a stable IT platform that the business can run on. On the other hand, part of keeping that platform stable, means keeping machines up date with security patches.

Based on your short description, it sounds like your company's IT department is either lazy or overworked. I tend to think its probably the latter since that is a very common thing for IT departments. They know they should be applying patches every month, but that requires testing the patches against all of the machine configurations in the enterprise to make sure they don't break any drivers, and then testing them against all of the internal, business critical applications to make sure they don't cause downtime for hundreds of employees. That takes time, a lot of time, and if the IT department is already overworked, that could mean they find it acceptable to do all that testing every six months, instead of every month.

As for, actual apps getting broken by updates, it does happen, and as I mentioned before it is IT's job to keep the enterprise IT infrastructure stable. Below I'll list a couple of instances where Windows Update caused widespread breakages of consumer machines. Please note, these kinds of breakages tend to happen more in the enterprise with custom apps and infrastructure:

• Microsoft Delivers Yet Another Broken Windows 10 Update
  
• Microsoft, Please Stop Breaking My PC With Windows 10’s Automatic Updates
  

 

Does enablement package include security patches

Hello MS, all our devices never been updated since Sept 2022. Currently we are planning to updates to 22h2 via enablement package. Does this enablement package include the latest security patches? If no, after i upgrade to 22h2, do i need to install all the monthly security patches that i missed or i can just install the 1 latest patches? Can someone advise on this? Thank you in advance.