Microsoft has released an emergency out-of-band (OOB) update full to address an array of issues found in last week's Windows Server patch, but IT administrators are in agreement that they will not apply them.
Last week's Patch Tuesday fixed a host of issues across Microsoft products, including a number of zero-day vulnerabilities, but Windows Server administrators have complained that some of the patches released have created even more problems.
Because of the issues introduced by the most recent cumulative patches, IT administrators discussing the issues on Reddit are mostly in agreement that forgoing the patches and waiting for the next cumulative update in February is the best course of action to minimise operational disruption and complexity.
The patches issued last week have been breaking a number of key components in business environments and the solution many administrators have turned to is to uninstall the updates entirely.
Four main flaws
The latest out-of-band update from Microsoft issued this week aims to address the issues faced by businesses running Windows Servers but in some cases, it first requires administrators to install the broken patch from last week.
The issues businesses are currently facing include domain controllers unexpectedly restarting and entering boot loops every few minutes. The issue is thought to affect all supported Windows Server versions and the failure in the LSASS.exe process means Windows cannot run correctly.
Microsoft Hyper-V is also affected by the patches, with enterprise virtual machines (VMs) failing to start on some Windows Servers. In addition, ReFS-formatted removable media is failing to mount post-patch, which has caused issues for administrators thinking their external drives were corrupted. Numerous reports of experts formatting their drives after applying last week's patches, only to realise it was in vain, have appeared on social media, too.
To cap off a bug-laden release of patches, some L2TP VPN connections are also failing across Windows 11, Windows 10, and certain Windows Server versions.
Microsoft has issued fixes the all of the aforementioned issues and aside from the ReFS-formatted media issues, they are cumulative updates which means they do not require administrators to install the broken patch from last week first.
The updates are available in the Microsoft Update Catalogue which also has instructions on how to install the updates manually into Windows Server Update Service (WSUS).
A risky response?
Despite most of the updates being cumulative, IT admins are seemingly still in agreement that they will be waiting until February, or until a fully safe wave of patches arrives, to fix the Windows Server issues.
One user said: "I'll be waiting on the cumulative... I'm not reinstalling a broken patch I just removed from a bunch of servers to then have to immediately apply a fix to said patch."
Another user said installing the out-of-band update made matters worse: "[We] received the bad updates this morning, and Exchange wouldn't see the Active Directory (AD) environment anymore. I saw the optional OOB update and installed that - [it] actually made the problem worse. I removed all of the updates and AD was back to being seen and Exchange was finally working."
Weighing in on the matter, outside experts have said the idea of forgoing updates is one that shouldn't be taken lightly and the risks of leaving environments open to known vulnerabilities need to be considered on balance with the potential disruption the updates themselves could cause an organisation.
"This is very much a question of risk management and risk assessment," said Andy Norton, European cyber risk officer at Armis to IT Pro. "Clearly the risk from installing the patch is one of disruption to the organisation. If you balance that with the risk from a cyber attack stemming from the issues that are not addressed by failing to patch, you then have both sides of the equation and are able to make a decision.
RELATED RESOURCE
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilience
"There were six zero-day flaws addressed in the January patch, however, none of these zero-days are actively being exploited currently, and so it may appear that the consensus is to delay the patching process as it is riskier than being exposed to the zero days."
Alan Calder, CEO at GRC International Group, added: "If it were my business, and a sysadmin said they thought it might be ok to continue with critical vulnerabilities unpatched until Patch Tuesday in February, we would have had a very blunt conversation about taking cyber security seriously."
In a statement given to IT Pro, Microsoft said: "We recommend customers install updates released on January 17."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
