It appears that Microsoft has had broken cert validation, and you need to patch to get it fixed. MS doesn’t consider it urgent, but the NSA does. In this case, I’d go with the NSA’s advice and patch ASAP.
4 Likes
Some other viewpoints over at the Ask Woody site, at the moment they seem to be coming down on the MS side, but that could change:
Edit: sorry that was a generic link that is OK right now but will have moved on to other news items soon. This is the specific link:
2 Likes
I almost posted a story about this in the morning. Interesting…
This has caused my team a few headaches this morning with panicking management. Planning deployments as we speak.
2 Likes
My own, very-much-not-expert assessment so far is this looks like a big problem for organisations with specific authentication requirements, for domestic or standard professional users maybe not so much so. I’m keeping an eye on news sources to see if that changes.
For the moment I’m following the Ask Woody line of deferring patches for a few days until the outcomes are fully known, just in case they break something. But if I start seeing a “patch now!” consensus emerging then I’ll change that.
I do have the luxury of not needing to have my Windows systems online (or indeed, turned on) all the time, so I can also keep them offline while following the situation on non-Windows devices.
1 Like
I do think it’s a good idea to plan patching activity now to be done in the next 48 hours if you have the capacity. While there’s no exploits yet, now that it’s public I would expect to see them pop up fairly quickly.
1 Like
Yep. I’ve rolled the patches out to our test machines and we usually test those for a week or 2 until we are certain that everything is OK, before rolling it out to every PC in the organisation.
Because of this issue, I’m looking at possibly having to pull the trigger early on general release.
1 Like
Nice summary from Davey Winder. Looks like I’ll probably have to pull the trigger early.
1 Like
My own situation apart, it’s beginning to sound increasingly like early patching would be wise for most people. One of the things I’ve heard since I last posted is that this weakness would enable an attacker to create a fake software update for third party software and sign it as if they were the real supplier, and create a fake cert for a spoof website which would work with HTTPS as if it were the real site. Those are some bad scenarios.
I’m probably going to image a system before updating just in case it breaks something, then bring that system bang up to date and leave the others offline until I know there are no problems with the update.
3 Likes
I’ve updated my personal work system and everything is fine.
2 Likes
I am getting that update on my 3 win machines as I type on my Mac. I have 2 more win 7 machines to upgrade to win 10 soon.
1 Like
I’ve updated a Build 1903 and a Build 1909 system with the January patches without seeing any problems.
1 Like
Incidentally, when I was searching for info on the recent knowledge base article for the fixes, it was written by MS as more or less “nothing new in 1909 that isn’t in 1903.” Which really brings it home that there isn’t really a 1909 other than in name only.
2 Likes
Long, detailed explanation of what’s known so far, with links to other specialist articles, for anyone who wants to dig deeper:
Looks like proof-of-concept code is already being built.
1 Like
Updated half a dozen test machines so far, no problem reported.
I’ll be throwing the trigger on rolling the updates out to the general population this afternoon.
3 Likes
I’ve now rolled the patches out to all my Windows 10 systems. So that’s combinations of 1903 & 1909, 32- and 64-bit,Pro and Home, all without any problems that I’ve seen yet.
Apart that is from the 1903 systems having a non-functioning search box in Windows Explorer, but that’s a known problem that predates these updates.
2 Likes
Thanks for the update!
2 Likes
As the fix is being pushed out normally, the warning is mostly aimed at network admin and people with offline or air-gapped systems.
Apparently you don’t hang in the same crowds I do. I have some acquaintances who think it’s a badge of honour to say “I haven’t patched my system in 10 months and it works just fine.”
I’ve been burned a few times by bugs in Windows patches, so my Win 10 Pro systems are set to delay automatic patch implementation by 15 days.
That puts the onus on me to check if quicker installation is advisable (like now), but gives enough time for MS to rush out an updated patch if they break something.