Microsoft has released an emergency out-of-band (OOB) update full to address an array of issues found in last week’s Windows Server patch, but IT administrators are in agreement that they will not apply them.
Last week’s Patch Tuesday fixed a host of issues across Microsoft products, including a number of zero-day vulnerabilities, but Windows Server administrators have complained that some of the patches released have created even more problems.
Because of the issues introduced by the most recent cumulative patches, IT administrators discussing the issues on Reddit are mostly in agreement that forgoing the patches and waiting for the next cumulative update in February is the best course of action to minimise operational disruption and complexity.
The patches issued last week have been breaking a number of key components in business environments and the solution many administrators have turned to is to uninstall the updates entirely.
Four main flaws
The latest out-of-band update from Microsoft issued this week aims to address the issues faced by businesses running Windows Servers but in some cases, it first requires administrators to install the broken patch from last week.
The issues businesses are currently facing include domain controllers unexpectedly restarting and entering boot loops every few minutes. The issue is thought to affect all supported Windows Server versions and the failure in the LSASS.exe process means Windows cannot run correctly.
Microsoft Hyper-V is also affected by the patches, with enterprise virtual machines (VMs) failing to start on some Windows Servers. In addition, ReFS-formatted removable media is failing to mount post-patch, which has caused issues for administrators thinking their external drives were corrupted. Numerous reports of experts formatting their drives after applying last week’s patches, only to realise it was in vain, have appeared on social media, too.
To cap off a bug-laden release of patches, some L2TP VPN connections are also failing across Windows 11, Windows 10, and certain Windows Server versions.
Microsoft has issued fixes the all of the aforementioned issues and aside from the ReFS-formatted media issues, they are cumulative updates which means they do not require administrators to install the broken patch from last week first.
The updates are available in the Microsoft Update Catalogue which also has instructions on how to install the updates manually into Windows Server Update Service (WSUS).
A risky response?
Despite most of the updates being cumulative, IT admins are seemingly still in agreement that they will be waiting until February, or until a fully safe wave of patches arrives, to fix the Windows Server issues.
One user said: “I’ll be waiting on the cumulative… I’m not reinstalling a broken patch I just removed from a bunch of servers to then have to immediately apply a fix to said patch.”
Another user said installing the out-of-band update made matters worse: “[We] received the bad updates this morning, and Exchange wouldn’t see the Active Directory (AD) environment anymore. I saw the optional OOB update and installed that – [it] actually made the problem worse. I removed all of the updates and AD was back to being seen and Exchange was finally working.”
Weighing in on the matter, outside experts have said the idea of forgoing updates is one that shouldn’t be taken lightly and the risks of leaving environments open to known vulnerabilities need to be considered on balance with the potential disruption the updates themselves could cause an organisation.
“This is very much a question of risk management and risk assessment,” said Andy Norton, European cyber risk officer at Armis to IT Pro. “Clearly the risk from installing the patch is one of disruption to the organisation. If you balance that with the risk from a cyber attack stemming from the issues that are not addressed by failing to patch, you then have both sides of the equation and are able to make a decision.
“There were six zero-day flaws addressed in the January patch, however, none of these zero-days are actively being exploited currently, and so it may appear that the consensus is to delay the patching process as it is riskier than being exposed to the zero days.”
Alan Calder, CEO at GRC International Group, added: “If it were my business, and a sysadmin said they thought it might be ok to continue with critical vulnerabilities unpatched until Patch Tuesday in February, we would have had a very blunt conversation about taking cyber security seriously.”
In a statement given to IT Pro, Microsoft said: “We recommend customers install updates released on January 17.”