Problems Plague Microsoft's February Security Patches
User profile problems and Windows shutdown glitches are among the raft of technical issues that have been reported in the wake of Microsoft's February security updates, released last week.
One other such issue, as reported by Microsoft, is standalone security update KB4524244 for a Secure Boot issue on Unified Extensible Firmware Interface (UEFI) Windows 10 and Windows Server machines associated with SQL Server. Microsoft recently pulled that security update, according to a Feb. 17 updated blog post.
A "subset of devices" were affected by the botched Secure Boot update, Microsoft indicated. The KB4524244 patch was supposed to have addressed a security issue associated with "a third-party" UEFI boot manager in Windows 10 machines, according to Microsoft.
"We are working on an improved version of this update in coordination with our partners and will release it in a future update," Microsoft tersely indicated in its Knowledge Base article.
The "third-party" term means a vendor besides Microsoft. The vendor in this case wasn't described. However, Microsoft's patch was designed to address a problem in a product made by software security company Kaspersky.
To hear Kaspersky tell it, Microsoft's KB4524244 patch addressed a problem in the Kaspersky Rescue Disk, which is used to clean unbootable and infected systems. This product had a flaw, disclosed in April and fixed later in August, that permitted an untrusted custom operating system to run on Secure Boot-protected machines. Secure Boot is a UEFI feature that's supposed to protect against such vulnerabilities, including so-called "bootloaders" or "rootkits" that load before the operating system runs, typically going undetected by anti-virus software.
Kaspersky, though, denied that it had any responsibility for Microsoft's botched KB4524244 patch.
"After detailed internal analysis, our experts concluded that Kaspersky products have not been a cause of this issue," Kaspersky explained.
The organizations with potential problems from this patch are the ones that installed the KB4524244 patch, according to Microsoft's updated Knowledge Base article. It can cause the "Reset This PC" feature on Windows 10 systems to fail. Microsoft recommended uninstalling KB4524244 in such cases, and restarting the device.
Kaspersky offered different advice. If KB4524244 is correctly installed, "you don't need to remove the update," according to Kaspersky. If KB4524244 wasn't installed, or if it gets uninstalled, then here was Kaspersky's advice:
Vulnerable bootloaders might remain bootable on your system. You will need to install the modified update once it is released by Microsoft.
In the interim, before that modified update arrives, Kaspersky advised a few mitigations, namely:
- Lock down the boot order.
- Protect the BIOS with a password.
- Put seals on device cover screws.
Standalone updates have to be manually downloaded from the Microsoft Update Catalog and installed using the Windows Update Standalone Installer, so it's possible that most IT shops hadn't applied the KB4524244 fix. In that case, they are stuck waiting for a new fix from Microsoft, although they could follow Kaspersky's mitigation steps in the meantime.
Possibly the oddest thing about this mishap is that it's deemed necessary to update the Secure Boot configuration at all.
"While updates to the Secure Boot configuration are rare, they are important to protect the integrity of the pre-OS boot process," Microsoft explained. It added that "you normally wouldn't even notice that the Secure Boot configuration has been updated" but for the involvement of the Host Guardian Service for shielded virtual machines, which checks Trusted Platform Module attestation.
Microsoft Pulls Another UEFI Patch
Microsoft also pulled its February patch KB4502496 for Windows 10, Windows 8.1, Windows RT 8.1 and Windows Server 2012/R2 that was designed to fix a UEFI firmware vulnerability, as noted by a Born's Tech and Windows World post.
Like KB4524244, this patch was another standalone security update. Microsoft recommended uninstalling KB4502496, and is working on a future "improved version" with its partners. No other mitigation steps were described.
SQL Server Reporting Services Exploit?
Microsoft had issued an "Important" February patch for a remote code execution vulnerability in SQL Server Reporting Services, as described in CVE-2020-0618. That bulletin, at press time, still described the vulnerability as not publicly disclosed or exploited.
However, security researcher Kevin Beaumont wrote in a Feb. 18 Twitter post that an exploit for CVE-2020-0618 now exists. He described it as "a big enterprise vuln." with a CVSS score of 9.7. He added that it affects "SQL Server 2012+" machines, but "appears to also impact SQL Server 2008."
Windows Server Container Images
Microsoft addressed a Windows Server 2016 image performance issue via a February patch, as described in KB4540981. However, it has a known issue associated with Windows Server Container images, as described in KB4542617.
The issue included the "Docker run" command not producing output and containers in Kubernetes not running. Applications running in the container "might silently fail," as well.
KB4542617 offers some painful mitigation steps to follow if the February security update for the container images was pulled and either containers aren't running or applications are silently failing. Also, the issue apparently affects newer Windows Server operating systems besides just Windows Server 2016, per the KB4542617 bulletin.
Other February Patch Problems
Born's Tech and Windows World included descriptions of other problems said to come from Microsoft's February patches. It described user profiles getting killed by KB4537821. Additionally, there's apparently a shutdown permissions glitch that affects Windows 7 users, as well as possibly Windows 10 users, but it may be associated with an Adobe Genuine update.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.