Sophos tells users to roll back Microsoft's Patch Tuesday run if they want PC to boot Brit security software slinger Sophos has advised its customers to uninstall Microsoft's most recent Patch Tuesday run – the same patches that protect PCs and servers against the latest Intel cockups. In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of …
"Windows hasn’t had undocumented hooks"
Maybe this is a terminology thing then.
I would take undocumented to mean not part of the published API, but allowing access to additional functionality that may not be supported in future due to either patching or other changes in the OS.
The question is around how much notice AV vendors had/need to make changes and what the implications are for performance.
For servers I'd take the patch over AV as I likely can't disable file sharing on key systems. For clients, I'd take AV and firewall polices restricting inbound file sharing to server subnets over the patch, but I guess it depends on the balance between local/offsite clients.
"How would you know if there were any undocumented hooks; read the documentation?"
By debugging Windows system calls, check missing values to see if they return anything, ask Microsoft for how to do X that doesn't appear possible via documented calls, debugging/examining the behaviour of malicious programs etc.
One further point - while "well behaved" software doesn't need to use undocumented calls, if the software you are trying to detect and protect against does use those calls, there may be no other way to protect against those calls/hooks unless you use them yourself. Where things get messy is if a method needs to change, Microsoft give a date to migrate to a new "correct" API call but you still have an existing version to support/update.
With new OS releases/service packs you get some time to address the issues and test - with patches, you have a matter of weeks.
"Waits for responses detailing Ubuntu updates that borked the systems..."
Isn't Ubuntu the sole Linux with the blessing of Microsoft Corporation? Why would MS choose to bless a proper Linux, one of the several with a history of *not* borking the systems every time the opportunity arises? If systems "just worked", most of the IT Departments in the world would be jobless within months.
I have seen Ubuntu screw up grub (which it seems to update every few days) and also entirely remove the kernel before so don't think you're safe for a minute. There is also no concept of last known good kernel as initrd gets rebuilt at the drop of a hat too. In fact things are so screwed up the initrd even gets rebuilt during removal of the associated kernel image.
?? must be old news. The only time I see grub is when I set up a machine as dual boot for a new nix user, which not too much later gets set up as nix only. I and most others switched to Mint and LTS only years ago when nearly everyone else did. I have yet to have an update of any kind bork a system, in my little family of 20 or so of them -
Updating major versions of linux - which you have to do proactively - HAS borked some oddball locally written daemons that initially used workarounds suggested on the web to keep working after systemd first came out horribly broken. And this happened for a couple years with distro updates borking the same things as things started working the old ways again (but LP would of course never admit this, having labeled all those breakages as E_WONTFIX or "then don't do things like mount shares at boot).
Of course, the recent advent of fairly clear how-to's and dox for systemd didn't hurt.
FWIW, most linux now has timeshift, which makes rolling back easy. Or, more usefully since one rarely needs that much - to have a couple rolling backups at different intervals of whatever in case YOU bork something and want to recover it.
the bigger concern is why you are doing in hours patching of bus-crit systems?
patch the server the helpdesk software runs on - cant log problems if the ticket system is down ;).
Obviously this only works in small teams. Or if you have a PFY around to blame.
This means IT IS MS' fault.
FFS, you poor sods, I am really wondering, why do you accept this state of affairs, seriously, you keep giving this incompetent bunch over at Redmond billions and they cannot even write a proper patch installer; they have tried for years, now, every month, EVERY SINGLE MONTH, gazillion systems somewhere break and each time it turns out to be the patch installer.
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
Again, you all are giving billions to a company that cannot even write a patch installer!
. . is that Microsoft put together a critical patch and Sophos couldn't be arsed to test if that was going to bork its product.
So now, you remove the critical patch that protects you in order to give Sophos time to pull its finger out and patch its own shit.
Of course, when you have shit running on shit, you get shit service as well.
I don't know if 2+ weeks is well in advance enough for Sophos, but Microsoft does provide Preview of Monthly Rollup updates. For example, the preview for May was released April 25. My workplace has been forced into having to test these preview releases for lack of companies like Sophos doing the same (and warning their customers in advance).
"The Preview of Monthly Rollup is product specific and addresses new non-security updates" (emphasis mine - https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro)
It would be quite dangerous to include critical vulnerabilities fixes in a preview, since it would give away what is vulnerable, and with some reverse engineering, how.
Don't know if some "trusted" companies can have security fixes in advanced to test.
Not just Sophos?
My ASUS Z270-P board i7-7700k machine hangs with the May update with spinning circle. I have no idea why. Multiple reboots eventually it uninstalls in safe mode and I get back my working PC. Running the MS utility to stop it trying it again, wushowhide.diagcab, seem to fail to block it, as soon the May update is back on, as is the determination of micro$oft to stuff your machine no matter what.
It seems every month a major AV vendor gets clobber by the updates and some months several get nailed. But it is a different vendor every month. It is almost as if Slurp has decided every month which AV vendor to target with problems. I do not remember this level of problems with updates with AV stuff with earlier versions of Bloat (I might be showing some mileage though).
AV vendors do install drivers to meddle within the kernel trying to intercept what should be malicious code before it gets executed. They may employ their own researches and techniques beyond what is standard driver interfaces to try to gain an edge over competition, believing they fully understood how the kernel works. Unluckily, little changes can cause big troubles.
I don't trust AV vendors much today, and their code.
"permits unauthenticated remote code execution through the medium of Remote Desktop Services"
The first thing I do, for Windows and all OS flavors in my shed, is to disable all remote access needed for some IT wonk to mess with my systems especially RDS. However, this policy is especially important for Windows as any subset of vulnerabilities that can be easily shunted is a good thing when using a spaghetti code OS like Windows. As for Windows 7, it's been sand boxed in a VM (hosted by a strong 'nixOS) and unable to access the Internet since the whole GWX debacle.
The only good Windows is an deaf and dumb Windows. Wait, is that redundant?
I think you got a teleporter to manage any remote system.... most of us don't manage systems on their laptop/bedroom/basement only - so they need a way to access them. Good luck, for example, to ask physical access to any machine running at a cloud provider. In some companies too accessing the data center is not easy, and it can be hundred or thousands of kilometres away...
There are of course ways to harden remote access - and remember it is not used only for remote administration, it could also be used as a plain "PC" by a lot of people...
To elaborate
Option 1 : Lock down the RDS/RDP to specific LAN addresses and user groups. You can include your VPN scope. Add 2FA to the VPN connection first.
Option 2: Manage via iDRAC or HPE
Option 3 : (actually combination of all) VLAN a management NIC, ACL on the VLAN, 2FA on the VPN, and locked down to specific LAN addresses / User groups
theres loads - this is just off the top of my head.
This post has been deleted by its author
Its advice on what to do is pretty blunt: uninstall the Windows update. Specifically, revert KB4499164 (May's full-fat Patch Tuesday) and KB4499165, the security-only update ...
Hands up anybody who still thinks roll-up patch bundles, which a customer can either take or leave as a whole, is still a good idea? A patch for an pretty esoteric hardware bug, which has a low likelihoodod being exploited relative to the overall threat landscape, effectively blocking customers from patching against a catastrophic and trivial to exploit software vulnerability in one of the core components. Yes, that's going to make things secure.
As a less disastrous example, an aging but still perfectly functioning AMD FX-based system I have here fails to install every other monthly rollup. From the update trace logs, it looks like it tries to install an Intel microcode update (which it obviously does not need), fails, and then reverts the entire rollup. Next month's rollup goes through without a hitch. Why that system and not the others? I have no clue. Can I just block the failing patch, and let the rest apply? No, sirrah - you must wait for the next rollup. May be it will install. May be it wont. I could try rebuilding it, but there is no guarantee it'll help either ...
https://community.sophos.com/products/sophos-central/f/sophos-central/112936/sophos-notification-following-the-microsoft-windows-14th-may-update-some-machines-hang-on-boot/405107#405107 Has an update to confirm any issues with the May security updates, stopping at 30%, is a Microsoft issue.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
