Every month, Windows users and administrators receive updates from Microsoft on Patch Tuesday (or Wednesday, depending on where you are). And every month most users apply the same updates.

But should you?

Example case: KB5012170, a patch released on August 9 that either doesn’t cause any problems — either triggers Bitlocker key recovery requests, or won’t install at all, requiring you to go find a firmware update. This patch, called DBX Secure Boot Security Update, applies to almost all supported versions of Windows. Specifically, it affects Windows Server 2012; Windows 8.1 and Windows Server 2012 R2; Windows 10, version 1507; Windows 10, version 1607 and Windows Server 2016; Windows 10, version 1809 and Windows Server 2019; Windows 10, versions 20H2, 21H1 and 21H2; Windows Server 2022; Windows 11, version 21H2 (original release) and Azure Stack HCI, version 1809, up to Azure Stack Data Box, version 1809 (ASDB).

Wow.

But here’s the thing: not all machines share the same risk factors. This particular update addresses a security risk where “a security feature bypass vulnerability exists in Secure Boot. A hacker who successfully exploited the vulnerability could bypass secure boot and load untrusted software. This security update addresses the vulnerability by adding the signatures of known vulnerable UEFI modules to DBX.”

As noted in Microsoft’s manual: “To exploit this vulnerability, an attacker would need to have administrative privileges or physical access to a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) . An attacker can install an affected GRUB and execute arbitrary boot code on the target device. After successfully exploiting this vulnerability, an attacker could disable additional code integrity checks, thereby allowing arbitrary executable files and drivers to be loaded on the target device.

Copyright © 2022 IDG Communications, Inc.

https://www.computerworld.com/article/3672150/when-windows-updating-goes-bad-the-case-of-the-problematic-patch.html

Previous articleMeta’s virtual Connect event will go live on October 11th
Next articlePS5 lead engineer retires from Sony