All posts by Connor Jones

Microsoft delays Office 365 and Microsoft 365 price hike


Connor Jones

4 Mar, 2022

Microsoft has announced that it will be delaying the planned price increase on Office 365 and Microsoft 365 products by a few weeks due to high demand for the services in the run up to the changes.

First announced in August 2021, the “substantive” price increases across a number of Modern Work products was due to come into effect on 1 March 2022.

Microsoft said the “transitional grace period” was implemented to “provide partners with additional lead time for adapting business processes”. It added that it does not believe partners will use the additional time to pull forward demand for the products.

All new commerce transactions will need to be submitted to Microsoft by no later than 14 March 2022 at 5 PM Pacific Daylight Time, or midnight at Coordinated Universal Time (UTC), in order to be eligible for the February 2022 pricing.

The price increases range between $1-$3 per user, depending on the product, but in large companies this can amount to a sizeable increase to IT departments’ overhead costs.

The six Modern Work products affected by the price changes include: 

  • Microsoft 365 Business Basic: $6 per user per month, up from $5
  • Microsoft 365 Business Premium: $22 per user per month, up from $20
  • Office 365 E1: $10 per user per month, up from $8
  • Office 365 E3: $23 per user per month, up from $20
  • Office 365 E5: $38 per user per month, up from $35
  • Microsoft 365 E3: $36 per user per month, up from $32

In the initial announcement, Microsoft said it represented the first major pricing adjustment for Office 365 and Microsoft 365 since it was launched in 2011, a decade previously.

Higher demand for cloud services brought on by the ongoing trend of home and hybrid working prompted the tech giant to make the change, said Jared Spataro, corporate vice president at Microsoft 365.

In December 2021, four months after the announced price increases, Microsoft also said it would be raising the prices of pay-monthly Microsoft 365 products by 20% unless partners chose to be billed on an annual basis.

Managed Service Providers (MSPs) complained at the time that they could stand to lose money if a customer went bankrupt or chose to decrease the number of licenses they needed if they opted for an annual subscription.

The move prompted heated online discussions and a Change.org petition lobbying Microsoft to reconsider the decision, which garnered more than 2,000 signatures.

Novel phishing method deceives users with ubiquitous IT support tool


Connor Jones

22 Feb, 2022

A cyber security researcher has documented a novel phishing technique that involves cyber criminals harnessing virtual network computing (VNC) technology on a private server to launch a variety of attacks.

Using the open source noVNC client, the phishing technique allows successful attackers to launch malicious code into a victim’s browser, plant a keylogger, and passively observe all user activity.

The researcher, who goes by the name mr.d0x. claims the method of attack bypasses two-factor authentication (2FA), including Google’s 2FA protocol used for the likes of Gmail and Google accounts, and facilitates the stealing of credentials. 

The phishing method effectively acts as a VNC client for the attacker to remotely monitor and access a user’s environment, creating a man-in-the-middle (MITM) attack.

The technology is common in modern businesses, with employees being familiar with IT support teams accessing their computers remotely to resolve technical issues. 

The initial deception is achieved in a typical phishing format – a strategically crafted email provides a link the user needs to click on. Once clicked, the user is taken to a direct server run by the attacker, rather than a malicious web page.

The attack can be launched against individuals using any browser, theoretically including ones on mobile devices, though the researcher said they had difficulty in executing the attack on smartphones

There are some shortcomings with the method, the researcher said, including the issue whereby the attacker has to provide control of their machine to the victim in order for the attack to work.

It’s also possible that given the nature of VNC software, there may be some noticeable input lag for the victim, offering an indication that the website is not legitimate.

This is currently a proof of concept style of phishing attack with no known actively exploited cases in the wild, though remote access to businesses is reportedly on the rise in a string of burgeoning dark web operations.

“Browsers are more powerful than ever and the usage of browsers as clients for remote access provides new ways for attackers to steal credentials, bypass 2FA, and more,” said the researcher. “I strongly believe that what I’ve demonstrated in this article is only a small portion of what this technique can be used for.”

noVNC attack breakdown

The attacker first needs to deploy a Linux machine via a cloud service provider; any provider or Linux distro is fine. Firefox is good for this, the researcher said, but any browser with a kiosk mode will also work.

Once the Linux instance is up and running, the attacker then needs to install VNC software such as TightVNC or TigerVNC before running some custom commands to ensure the environment is correctly configured for the attack. The noVNC javascript library and application can then be downloaded from GitHub and installed too.

A web browser needs to be running in the deployment and displaying the authentication page from which the attacker wants to steal credentials, such as Google’s login page. The attacker can use any browser, Firefox is good here, but it must be running in kiosk mode. 

This technique is effective in spear phishing campaigns but will encounter issues if sent to multiple targets since they will be sharing the same VNC session. 

However, the technique can be modified and automated so different users access different VNC sessions by assigning users to different ports.

Google doubles bug bounty rewards for Linux, Kubernetes exploits


Connor Jones

16 Feb, 2022

Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms. 

The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.

Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as ‘n-days’, one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.

Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.

“There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses),” said Eduardo Vela, Product Security Response TL/M at Google. “While we don’t expect every upgrade to have a valid 1day submission, we would love to learn otherwise.”

Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.

“We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag,” said Vela. “We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022).”

An increasing amount of recent research has highlighted cyber criminals’ shift in focus towards Linux environments, both in and outside of the cloud. 

Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while “hiding in plain sight“, while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.

Full details on the reporting process can be found in the Google blog post.

Reward structure

Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.

From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed. 

  • $20,000 will be awarded if the exploit is a zero-day
  • A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
  • Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission

Google Chrome update fixes zero-day under active exploitation


Connor Jones

15 Feb, 2022

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for WindowsMac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google’s Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim’s machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly. 

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don’t manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn’t cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero’s Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.

Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over ‘Help’, and selecting the ‘About Google Chrome’ menu, or by typing ‘chrome://settings/help’ into the URL bar.

Zoom users claim macOS app keeps ‘listening’ after meetings end


Connor Jones

14 Feb, 2022

Video conferencing and collaboration platform Zoom has released an update to its macOS client addressing a security issue whereby a Mac’s microphone remained enabled even after a meeting had ended.

Zoom users running the latest version of macOS Monterey had been concerned about the apparent privacy issues since December 2021, according to posts made on the official Zoom community support forums, first reported by The Register.

The issue in question involved the orange dot in the Mac’s Control Centre appearing, indicating that the device’s microphone was being used in an application. That app was revealed to be Zoom, which was open in the taskbar but not actively in a meeting.

Numerous replies to the original post echoed concerns regarding where the audio data was being sent, and that it wasn’t a single use case. 

One user appearing to represent Zoom support said the bug was known to Zoom and it was patched in the 5.9.3 version released on 24 January 2022. That said, IT Pro is still waiting to hear from Zoom officially.

The release notes accompanying version 5.9.3 made no explicit mention of the macOS bug, but earlier release notes for version 5.9.1 issued on 20 December 2021 indicated the big had been fixed, though no explanation as to why the bug presented itself, or what was done with recordings.

Numerous users also reported the bug persisting even after updating to version 5.9.1 and complaints persisted well into January 2022, long after even the 5.9.3 patch was released. IT Pro will update this story if Zoom provides clarity on the issues.

At the time, users commenting on the community support thread voiced their concerns around privacy, re-iterating their experience with Zoom’s privacy issues in years gone by. One user said: “This is [a] major privacy breach and I am considering dropping Zoom and asking my IT department to replace Zoom with a more secure option”.

The incident prompted Apple to roll out a silent update removing the web server from all Mac machines which followed Zoom’s own update achieving the same purpose. Apple said at the time that no user intervention was required to enable the update but IT Pro’s testing, at the time, showed the issue persisted until the user rebooted their machine.

The company also settled a case with the Federal Trade Commission (FTC) in 2020 after the claims it made about the use of end-to-end encryption (E2EE) on its platform, which was used by governments and local authorities during the pandemic, turned out to be false.

Microsoft Teams now uses 50% less power than when it first launched


Connor Jones

10 Feb, 2022

Microsoft has said its Teams app now uses 50% less power when running video calls and meetings, thanks to a range of performance improvements it has implemented since 2020. 

Microsoft Teams can be especially demanding for users of low-end devices that lack the adequate hardware processing capabilities of more expensive models, Microsoft said, especially with functions like meetings with multiple video streams or sharing one’s screen with a group.

Ongoing optimisations to the collaboration platform have improved the experiences for many business users and have led to reduced energy costs, Microsoft said, as it outlined the timeline of its optimisation releases over the past few years.

“One of the challenges brought on by the ubiquity of Teams is the need to create equitable experiences across an incredibly diverse Windows device ecosystem,” said Robert Aichner, principal group program manager at Microsoft.

“We’re committed to ensuring great calling and meeting experiences for users on low-end hardware as well as those on high-end workstations and high-resolution monitors. One of the factors we’ve addressed is the difference in power requirements for different customer profiles by ensuring Teams meetings are as energy-efficient as possible, regardless of setup.”

Microsoft measured the improvements by creating a testing framework that accounted for different energy-demanding scenarios, such as video meetings and screen sharing, to evaluate the critical processes associated with them to identify optimisation opportunities. Such processes included content capture, encoding, and rendering.

Credit
Microsoft

Over the course of 17 months, Microsoft made changes to these processes, starting with video capture optimisation in October 2020, involving a reduction in CPU load when the camera was enabled. This delivered the most significant performance increase, with a 27% drop in power consumption.

Specifically, Microsoft focused on camera optimisations that targeted reduced CPU load in meetings and reducing code complexity in areas such as auto-exposure, auto-white balance, and auto-aliasing.

This was followed by consolidating multiple screen elements for a single render process in February 2021, which brought an additional 14% decrease in power use. Incremental optimisations made over the following year delivered small improvements, slowly building to a peak performance improvement of 52%.

“Similar to our other performance improvement initiatives, these power consumption improvements are subjected to progressive testing to validate the intended benefits across customers and environments,” said Aichner. “Additionally, we evaluate each new planned Teams feature to ensure existing processing efficiencies are not compromised.

“So while we continue to launch innovative Teams features to help people connect and collaborate in new ways, we’re also dedicated to making sure these experiences are optimised for all users, regardless of their network and devices.”

Microsoft disables VBA macros in Office by default following years of complaints


Connor Jones

8 Feb, 2022

Microsoft has announced it will disable all Visual Basic Application (VBA) macros obtained from the internet in Office documents by default in a bid to tackle widespread exploitation of the method used for malware and ransomware delivery.

Cyber security experts have long called on Microsoft to change its approach to VBA macros and the move has been greeted positively by nearly all corners of the industry. The default setting will be applied to five Microsoft Office products – Word, Excel, Powerpoint, Visio, and Access – and will start rolling out to Windows users in April 2022 with the Version 2203 update via the Current Channel (preview).

The change will be available in other update channels at an unspecified later date, including in Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 will also eventually all receive the update.

VBA macros are commonly used in Microsoft office products to automate repeat manual functions and are especially commonplace in industries like accounting and finance to expedite tasks in spreadsheets, for example. 

Cyber attackers are also commonly drawn to the feature to facilitate the launch of cyber attacks or distribute malware, a technique most commonly used in phishing attacks. A common scenario would see an attacker send a phishing email to an individual’s work account containing a seemingly innocuous Office document attached.   

Credit
Microsoft

Once the document is downloaded and opened, the user would be presented with a document with a notification in the toolbar providing the user to ‘enable content’ which would see the macro run and whatever malicious payload associated with it downloaded and installed.

Figures from Netskope’s January Cloud Threat Report revealed that the use of Microsoft Office documents related to malware downloads increased to 37% by the end of 2021, compared to 19% at the start of 2020.

“A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code,” said Tom Gallagher, partner group engineering manager at Office Security. “Usually, the malicious code is part of a document that originates from the internet (email attachment, link, internet download, etc.). Once enabled, the malicious code gains access to the identity, documents, and network of the person who enabled it.”

Microsoft is changing the default behaviour of macros in five Office applications so that users will no longer be able to enable them with one click of a mouse. Instead, users will now be presented with a button encouraging them to click and learn more about the potential impacts of enabling macros, and what malicious ones can achieve on a corporate network.

“The default is more secure and is expected to keep more users safe including home users and information workers in managed organisations,” Microsoft said.

Community reaction

The cyber security community has come out in droves to support the move from Microsoft, a move that some corners of the industry have requested for some time. As recently as the weekend, the topic resurfaced on social media with experts calling for a change in approach to macros. 

Malware campaigns launched through phishing attacks are typically the chief exploiters of VBA macros, such as the newly resurfaced Emotet campaign which relies on the method as a key entry point. Experts believe the move is expected to reduce the number of cyber attacks in businesses significantly. 

“The implications of turning Macros off by default is a huge win for security as it significantly reduces the potential victim scope of macro-based attacks for cybercriminals,” said Joseph Carson, chief security scientist at Delinea to IT Pro.

“In the past, we relied heavily on users to make security decisions on macros with a warning – this can potentially reduce the risks from curious employees who may just accept the warning and run the macro that could result in stolen credentials or a fully compromised machine. The issue lies in how quickly organisations can upgrade to this version as office upgrades can typically take a long time, though at least those who have moved to cloud solutions should benefit sooner.”

Other experts have said malicious macros account for “about 25% of all ransomware entry” – a figure they describe as “conservative” mostly related to larger ransomware organisations like the ones most recently targeted by international law enforcement.

Real-world applicability

Some corners of the industry have raised concerns about how easily it will be for businesses to enforce the new default rules for Office documents given the entrenched culture of macros use in certain industries.

Security experts have said certain users who rely on macros for significant areas of their job, such as accountants, will likely complain to IT departments asking for the default to be reverted back to the one-click functionality of before, despite the risks. 

Others disagree, saying the difference will only add a small layer of friction to normal processes. Magni Reynir Sigurðsson, senior manager of detection technologies at Cyren said: “this will not affect industries that rely on documents using macros, they will just have to take the extra step of enabling them file by file for specific files they do trust”.

“For those industries that heavily rely on macros such as financial or accounting industries, the hope is that Microsoft will, at last, make it simple enough for individuals to turn it on for on-demand purposes on approved documents and scanned documents,” added Carson.

Administrator options

There are a number of policies available to system administrators who wish to enable the new macro settings in a custom way, one that’s suitable for their business. Such policies include:

  • Blocking macros from running in Office files from the Internet – Microsoft recommends enabling this policy and the organisation will not be affected by the default change
  • Opening files from a Trusted Location
  • Opening files with digitally signed macros and providing the certificate to the user, who then installs it as a Trusted Publisher on their local machine

Credit
Microsoft

The image above outlines the evaluation flow for Office files with VBA macros and Mark of the Web (MOTW) – an attribute added to files by Windows when it is sourced from an untrusted location.

Administrators can read more about how the change impacts the environments in Microsoft’s dedicated article for Office admins. 

Google Cloud adds cryptomining protection following widespread exploitation


Connor Jones

8 Feb, 2022

Google Cloud has launched a new threat detection solution for Google Cloud Platform (GCP) specifically designed to tackle the mounting cases of cryptomining malware operating through compromised cloud instances.

Google Cloud said the Virtual Machine Threat Detection (VMTD) is a first-to-market solution from a major cloud provider, now available in public preview as an added security layer within Security Command Center (SCC) Premium.

Virtual machine-based computing accounts for a significant portion of businesses’ operations running in the cloud and according to a November 2021 threat intelligence report from Google Cloud, cryptomining activity was observed in 86% of all compromised GCP instances, making it the leading issue affecting Google Cloud customers.

The time it took for attackers to install this financially-motivated malware was quick, too, with more than half of cases (58%) seeing malware installed within just 22 seconds of compromising the platform.

Google Cloud said in most cases, this was due to exploitation of poor customer security practices or vulnerable third-party software. Leveraging the power of cloud computing can improve the efficiency of cryptomining malware due to its scalable nature, potentially raising monthly cloud bills for businesses by a large sum.

“The economy of scale enabled by the cloud can help fundamentally change the way security is executed for any business operating in today’s threat landscape,” said Timothy Peacock, product manager at Google Cloud. “As more companies adopt cloud technologies, security solutions built into cloud platforms help address emerging threats for more and more organisations.

“VMTD is one of the ways we protect our Google Cloud Platform customers against growing attacks like coin mining, data exfiltration, and ransomware,” he added.

Now available in public preview, VMTD detects cryptomining attacks but as it moves closer towards general availability, Google Cloud said customers can expect to see a steady release of new detective capabilities that will integrate with other parts of GCP.

Google Cloud said VMTD complements the existing threat detection capabilities supplied by the existing Event Threat Detection and Container Threat Detection products, providing cover for compute while the others services areas like Kubernetes, identity, managed services, networking, and API.

Agentless approach

Google Cloud’s VMTD provides memory scanning for customers on an agentless basis, which means GCP users can expect a smaller performance impact, lowered operational burden, and a less-exposed attack surface.

This is unlike a traditional endpoint security model which involves running additional software inside virtual machines to gather signals and telemetry. Instead, Google Cloud said it ‘instruments the hypervisor’ – the underlying software that “orchestrates” its virtual machines – to include threat detection that’s difficult to tamper with.

TikTok, Euromoney CISOs say retraining staff now critical to cloud success


Connor Jones

4 Feb, 2022

Security heads at some of the world’s largest companies have revealed how they managed to stave off the cloud skills crunch by retraining staff to fill some of the most sought-after roles in the industry.

Speaking at cyber security firm Check Point’s CPX 360 conference this week, the CISOs of media giant TikTok, and business and financial information company Euromoney Institutional Investor, said they both resorted to upskilling existing staff in order to support their move to the cloud.

Martyn Booth has held the CISO position at Euromoney for six years and said that during his time business objectives such as costs and efficiencies drove the cloud transition initially, but the company found it difficult to attract the right security talent.

Now with 70% of Euromoney’s business running in the cloud, he said specialised cloud security talent is needed and security-specific cloud skills are still scarce, years after his original search for talent.

“Having access to people that knew what they were doing was always going to be a bit of a challenge,” said Booth in a one-on-one interview with Check Point. “So, we’ve had to skill-up people quite quickly, rather than just go to market because some of those people weren’t available and then use those people to protect those environments.”

Non-technical people in the business typically think one security professional is full-purpose and can cover the full breadth of what’s required but this isn’t the case, he said.

The key to this successful internal upskilling program, he added, was having hungry staff – people within the security side of the business that wanted to learn new skills.

“We had some people that were interested in doing it, it suited me for them to do it, so it was a reciprocal arrangement, really – that they wanted to learn something new and it’s something that I needed them to know,” said Booth.

“So, we took the decision to train people internally, and those people now will probably consider themselves, and I would consider them, as cloud security experts. Before, we had a very limited ability to manage that internally.”

TikTok’s CISO, Roland Cloutier, told of a similar experience at the cloud-first media platform, and its “multi-pronged approach” to talent acquisition that covers numerous pipelines.

Such pipelines include higher education partnerships, early education, outside hires from adjacent industries such as government and the military, and internal hires – both from a security background and from wider areas of the business looking for a change in career path.

“We have to create a pipeline that’s 10 years out… and then internally, one of our focus areas, being a converged security organisation, is where do our practitioners want to go,” said Cloutier.

“Maybe you’re in risk management today, but tomorrow, you want to be leadership in the fusion centre – what does that career progression look like for you. So we spend a lot of time focusing on where our people want to go, and how that’s going to help our pipeline going forward,” he added.

“And of course, when we find super great people that are looking to join TikTok, they’re coming even potentially from other areas within the business; it’s always great to give those opportunities as well.”

Cloud security’s extreme skills shortage

The shortage of talent in the wider technology industry is well documented and has been widening for years, but the shortage is especially apparent in cloud computing – a newer technology that is still struggling to attract professionals en masse.

“It’s a fairly new technology, and it’s a complex technology, so the knowledge gaps there are huge and it means critical data is really in danger,” said Maya Horowitz, VP of research at Check Point, speaking to IT Pro.

“The ones that really are cloud experts, they are so rare that they go to work for pure cloud companies and there aren’t enough left for other organisations… definitely, we’re in shortage of cloud experts.”

The anecdotal reports are backed by research with HashiCorp figures showing more than half of IT organisations (57%) think a skills shortage is the primary challenge in cloud adoption, and nearly half (47%) said security is a top cloud inhibitor too.

Windows Server admins agree to forgo broken patches


Connor Jones

19 Jan, 2022

Microsoft has released an emergency out-of-band (OOB) update full to address an array of issues found in last week’s Windows Server patch, but IT administrators are in agreement that they will not apply them.

Last week’s Patch Tuesday fixed a host of issues across Microsoft products, including a number of zero-day vulnerabilities, but Windows Server administrators have complained that some of the patches released have created even more problems.

Because of the issues introduced by the most recent cumulative patches, IT administrators discussing the issues on Reddit are mostly in agreement that forgoing the patches and waiting for the next cumulative update in February is the best course of action to minimise operational disruption and complexity.

The patches issued last week have been breaking a number of key components in business environments and the solution many administrators have turned to is to uninstall the updates entirely. 

Four main flaws

The latest out-of-band update from Microsoft issued this week aims to address the issues faced by businesses running Windows Servers but in some cases, it first requires administrators to install the broken patch from last week.

The issues businesses are currently facing include domain controllers unexpectedly restarting and entering boot loops every few minutes. The issue is thought to affect all supported Windows Server versions and the failure in the LSASS.exe process means Windows cannot run correctly.

Microsoft Hyper-V is also affected by the patches, with enterprise virtual machines (VMs) failing to start on some Windows Servers. In addition, ReFS-formatted removable media is failing to mount post-patch, which has caused issues for administrators thinking their external drives were corrupted. Numerous reports of experts formatting their drives after applying last week’s patches, only to realise it was in vain, have appeared on social media, too. 

To cap off a bug-laden release of patches, some L2TP VPN connections are also failing across Windows 11Windows 10, and certain Windows Server versions. 

Microsoft has issued fixes the all of the aforementioned issues and aside from the ReFS-formatted media issues, they are cumulative updates which means they do not require administrators to install the broken patch from last week first. 

The updates are available in the Microsoft Update Catalogue which also has instructions on how to install the updates manually into Windows Server Update Service (WSUS).

A risky response?

Despite most of the updates being cumulative, IT admins are seemingly still in agreement that they will be waiting until February, or until a fully safe wave of patches arrives, to fix the Windows Server issues.

One user said: “I’ll be waiting on the cumulative… I’m not reinstalling a broken patch I just removed from a bunch of servers to then have to immediately apply a fix to said patch.”

Another user said installing the out-of-band update made matters worse: “[We] received the bad updates this morning, and Exchange wouldn’t see the Active Directory (AD) environment anymore. I saw the optional OOB update and installed that – [it] actually made the problem worse. I removed all of the updates and AD was back to being seen and Exchange was finally working.”

Weighing in on the matter, outside experts have said the idea of forgoing updates is one that shouldn’t be taken lightly and the risks of leaving environments open to known vulnerabilities need to be considered on balance with the potential disruption the updates themselves could cause an organisation.

“This is very much a question of risk management and risk assessment,” said Andy Norton, European cyber risk officer at Armis to IT Pro. “Clearly the risk from installing the patch is one of disruption to the organisation. If you balance that with the risk from a cyber attack stemming from the issues that are not addressed by failing to patch, you then have both sides of the equation and are able to make a decision. 

“There were six zero-day flaws addressed in the January patch, however, none of these zero-days are actively being exploited currently, and so it may appear that the consensus is to delay the patching process as it is riskier than being exposed to the zero days.”

Alan Calder, CEO at GRC International Group, added:  “If it were my business, and a sysadmin said they thought it might be ok to continue with critical vulnerabilities unpatched until Patch Tuesday in February, we would have had a very blunt conversation about taking cyber security seriously.”

In a statement given to IT Pro, Microsoft said: “We recommend customers install updates released on January 17.”