Critical Microsoft Windows 10, 11 & Server Warning Issued As Attacks Underway
May 12 Update: This post was originally published on May 11
The importance of patching your Windows platforms against known vulnerabilities as soon as possible has, once again, clashed with the risk that doing so can introduce. While the Forbes Straight Talking Cyber team always advises consumers to update as soon as possible, the advice for businesses has to be more cautious and dependent upon their specific risk profiling. This has been highlighted again as reports of multiple authentication failures after installing the May 2022 Patch Tuesday update, as spotted by Bleeping Computer, are being investigated by Microsoft. This follows authentication failures linked to the November Patch Tuesday update which resulted in an emergency out-of-band fix.
The particular problem following the May 2022 update appears to be an authentication failure due to a credentials mismatch where servers are used as domain controllers and involve the mapping of certificates to machine accounts. Something that is highly unlikely to impact consumers but will affect businesses using this specific setup.
One user in a Reddit Patch Tuesday support group found that uninstalling the KB5014001 and KB5014011 updates worked as a short-term fix. Bleeping Computer reports that while an upcoming security release will fix the problem, Microsoft recommends the manual mapping of certificates to Active Directory machine accounts. It wouldn’t surprise me if we see a similar, and similarly speedy, conclusion as was the case in November last year with an out-of-band emergency security release within the next week or so.
The latest ‘Patch Tuesday’ batch of security fixes for Microsoft users has just dropped, and it’s a big one. Among the 75 security issues being addressed there are eight which get a critical severity rating and three zero-day vulnerabilities. Windows 10, 11 and Server users are warned that one of these is being exploited in the wild, already under attack in other words.
For a full listing of all 75 vulnerabilities, along with their respective severity ratings and platforms affected, visit the Microsoft Security Update Guide. However, here’s what we know about the one for which attacks are already underway.
CVE-2022-26925 is the zero-day vulnerability that Microsoft confirms as already being exploited. Perhaps surprisingly, despite being an exploited zero-day, it only gets an important rating from Microsoft unless, and this is where things get a little complicated, it is chained with New Technology LAN Manager (NTLM) relay attacks.
These PetitPotam attacks as they are known, can be used to attack Windows domain controllers and other servers. If combined, the zero-day severity rating is boosted to a 9.8 criticality. Luckily, this is far from a simple attack to pull off, although obviously possible as the ‘actively exploited’ label demonstrates. Windows users (Server, 7, 8.1, 10 and 11) should ensure the update is applied as soon as is possible as a result.
What the security experts say
Chris Hass, director of security at Automox, says that what this Patch Tuesday lacks in numbers (in April more than 100 vulnerabilities were disclosed) it makes up for in severity and infrastructure headaches. “CVE-2022-26925, a Windows LSA Spoofing Vulnerability, could allow an attacker to intercept or man-in-the-middle network traffic. Considering Microsoft has confirmed exploitation of this CVE in the wild, system administrators should put this patch near the top of their list” he says. More broadly, Hass says that Automox recommends all critical and exploited vulnerabilities are patched within a 72-hour window.
Satya Gupta, co-founder at Virsec, says that while this Patch Tuesday update includes “highly concerning vulnerabilities” on an individual threat basis, when looked at in a broader context that concern remains. “Consider that in April-May 2022, more than one-in-three vulnerabilities Microsoft identified (1,330 or 36%) are remote code execution vulnerabilities,” he says, “this of course represents a massive opportunity for malicious actors to compromise nearly any customer.”