Microsoft angers admins as April Patch Tuesday delivers password feature without migration guidance
Security fixes include a zero day exploited by a ransomware group and seven critical flaws
Microsoft’s April 2023 Patch Tuesday delivered not just the usual score of security fixes for Windows admins, but also a new feature that has attracted criticism from the IT community.
The Windows 11 22H2 KB5025239 cumulative update, among other fixes and features, delivers the new Windows Local Administrator Password Solution (LAPS) to IT teams managing both on-prem and cloud environments.
Microsoft LAPS manages and backs up local admin account passwords on Azure Active Directory-joined devices.
It’s seen as one of the most secure ways to ensure unauthorized users aren’t able to access things they’re not supposed to.
The new LAPS is available for Windows 10&11 Pro, EDU, and Enterprise versions, as well as Windows Server 2022, Windows Server Core 2022, and Windows Server 2019.
LAPS for Azure AD is not yet available. It’s now bundled into Microsoft Entra - the name given to Microsoft’s identity and access products that can be managed through a single portal.
The Azure AD version of LAPS is expected to go from private to public preview “later this quarter,” said Jay Simmons, development lead at Microsoft, and will deliver new features such as password encryption, password histories, an emulation mode, and automatic rotation.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS,” he added.
Online IT admin communities have not greeted the news as warmly as expected.
The main issue among these communities relates to concerns over how to migrate.
Leaked today, exploited for life
How social media biometric patterns affect your future
The new LAPS feature has been released but Microsoft has not supplied the community with any documentation detailing how to complete the migration.
Some professionals have already encountered issues where the new LAPS has stopped working due to nuances in the migration process.
The prevailing advice is to stop deploying the legacy LAPS MSI immediately after the April Patch Tuesday update is applied.
Failure to do so reportedly breaks the new LAPS and prevents legacy LAPS from updating passwords.
“You need to update documentation and guidance very soon,” one user told Simmons in an online discussion.
“I hate spending my day discovering something that is about to hit 100,000 of our machines doesn't have guidance, and we have to action something,” they added.
“If migration docs aren’t available yet, [why] was this released,” another asked. “This tells me that documentation, upgrades, and coexistence, were not given any priority - which is bloody shocking but given how Microsoft pushes stuff out the last few years, I suppose it really shouldn’t be any more.”
Simmons responded to users by saying that he “should have been better prepared” to allay the global community’s concerns.
“New Windows LAPS has been designed to be an almost entirely opt-in feature, using a separate brand new GPO policy and separate brand new AD schema attributes, which – at least to my Microsofty-mind – mostly mitigates the risk of applying the patches to existing environments,” he said.
“But regardless yes we should have preemptively called this out in the post so as to not scare folks.”
Error-strewn Patch Tuesday releases are becoming something of a commonality from Microsoft, with the monthly updates often presenting major issues for IT teams.
Most recently in last month’s March Patch Tuesday updates, IT admins complained about a variety of problems after installing patches for an Outlook zero day.
Windows 10 users were hit with the infamous blue screen of death after installing December’s updates, and around a year earlier IT admins were forced to ignore the security fixes for a month as a result of the rampant issues reported by the community.
April 2023 Patch Tuesday Summary
Microsoft’s April 2023 Patch Tuesday brought fixes for 97 total security vulnerabilities including seven critical-rated flaws and one zero day that’s been actively exploited by a ransomware group.
Tracked as CVE-2023-28252, the privilege escalation vulnerability in Windows Common Log File System (CLFS) Driver grants SYSTEM-level privileges if successfully exploited.
Kaspersky identified exploit attempts dating back to February 2023 that it said were very similar to other types of exploits it had been tracking.
The team investigated and discovered that it was a zero day affecting different versions of Windows, including Windows 11.
The Nokoyama group is described as “sophisticated” and used a newer version of its ransomware payload, which has historically been a rebranded version of JSWorm. Now written in C with encrypted strings.
In previous attacks, Nokoyama has also deployed the Cobalt Strike penetration testing tool to evade antivirus products, and a custom modular backdoor called Pipemagic in other attacks.
Security predictions for 2023
Prioritise cyber security strategies on capabilities rather than costs
Kaspersky said it believes “CVE-2023-28252 could have been easily discovered with the help of fuzzing” - a technique that sees automated injections of invalid or unexpected inputs into a target system to reveal security vulnerabilities.
It said that the clfs.sys driver extensively uses try/catch blocks to handle exceptions, so code continues to execute as if no errors were thrown.
Kaspersky’s analysis showed that a possible access violation that follows after the vulnerability is triggered was masked by one of these exception handlers, and because there was no crash, fuzzers were most likely ‘finding’ the vulnerability but not reporting it as a potential issue.
April 2023 Patch Tuesday breakdown
This month’s 97 security fixes slightly exceeded March’s total of 83, with the overall count not including the 17 Microsoft Edge issues patched on 6 April.
All seven of the critical-severity vulnerabilities were remote code execution (RCE) flaws.
The two most serious of which, CVE-2023-21554 and CVE-2023-28250, affecting Microsoft Message Queuing and Windows Pragmatic General Multicast (PGM) respectively, both scored a near-maximum 9.8/10 on the CVSS v3 severity scale.
Four RCEs were also found in Microsoft Office, Microsoft Word, and Microsoft Publisher, and were exploitable by opening malicious documents.
All four were categorized under “exploitation less likely” by Microsoft. This classification is designated to vulnerabilities for which attackers would either have difficulty writing the code, require expertise and/or sophisticated timing, or would experience varied results when testing the vulnerable target.
These flaws are also not recently exploited in the wild but given the potential impact of successful abuse, the vulnerability warrants an update regardless.
The full breakdown of the vulnerabilities’ types can be found below:
- 45 remote code execution
- 20 elevation of privilege
- 10 information disclosure
- 9 denial of service
- 7 security feature bypass
- 6 spoofing
Microsoft's full dashboard of the month’s updates can be found on its website.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.