This has caused my team a few headaches this morning with panicking management. Planning deployments as we speak.
My own, very-much-not-expert assessment so far is this looks like a big problem for organisations with specific authentication requirements, for domestic or standard professional users maybe not so much so. I’m keeping an eye on news sources to see if that changes.
For the moment I’m following the Ask Woody line of deferring patches for a few days until the outcomes are fully known, just in case they break something. But if I start seeing a “patch now!” consensus emerging then I’ll change that.
I do have the luxury of not needing to have my Windows systems online (or indeed, turned on) all the time, so I can also keep them offline while following the situation on non-Windows devices.
I do think it’s a good idea to plan patching activity now to be done in the next 48 hours if you have the capacity. While there’s no exploits yet, now that it’s public I would expect to see them pop up fairly quickly.
Yep. I’ve rolled the patches out to our test machines and we usually test those for a week or 2 until we are certain that everything is OK, before rolling it out to every PC in the organisation.
Because of this issue, I’m looking at possibly having to pull the trigger early on general release.
Nice summary from Davey Winder. Looks like I’ll probably have to pull the trigger early.
My own situation apart, it’s beginning to sound increasingly like early patching would be wise for most people. One of the things I’ve heard since I last posted is that this weakness would enable an attacker to create a fake software update for third party software and sign it as if they were the real supplier, and create a fake cert for a spoof website which would work with HTTPS as if it were the real site. Those are some bad scenarios.
I’m probably going to image a system before updating just in case it breaks something, then bring that system bang up to date and leave the others offline until I know there are no problems with the update.
I’ve updated my personal work system and everything is fine.
I am getting that update on my 3 win machines as I type on my Mac. I have 2 more win 7 machines to upgrade to win 10 soon.
I’ve updated a Build 1903 and a Build 1909 system with the January patches without seeing any problems.
Incidentally, when I was searching for info on the recent knowledge base article for the fixes, it was written by MS as more or less “nothing new in 1909 that isn’t in 1903.” Which really brings it home that there isn’t really a 1909 other than in name only.
Long, detailed explanation of what’s known so far, with links to other specialist articles, for anyone who wants to dig deeper:
Looks like proof-of-concept code is already being built.
Updated half a dozen test machines so far, no problem reported.
I’ll be throwing the trigger on rolling the updates out to the general population this afternoon.
I’ve now rolled the patches out to all my Windows 10 systems. So that’s combinations of 1903 & 1909, 32- and 64-bit,Pro and Home, all without any problems that I’ve seen yet.
Apart that is from the 1903 systems having a non-functioning search box in Windows Explorer, but that’s a known problem that predates these updates.
Thanks for the update!
As the fix is being pushed out normally, the warning is mostly aimed at network admin and people with offline or air-gapped systems.
Apparently you don’t hang in the same crowds I do. I have some acquaintances who think it’s a badge of honour to say “I haven’t patched my system in 10 months and it works just fine.”
I’ve been burned a few times by bugs in Windows patches, so my Win 10 Pro systems are set to delay automatic patch implementation by 15 days.
That puts the onus on me to check if quicker installation is advisable (like now), but gives enough time for MS to rush out an updated patch if they break something.
Yeah I know what you mean.
I have mine set to download and wait, as I prefer to let updates happen while I am shutting down.
I usually install them after a few days of not seeing the tech press freak out
Windows 10 updates I also have wait for my say-so.
Google are also pushing an update.
And Firefox still uses its own certificate checking, it doesn’t use the OS Crypto API.
The SANS Institute has a writeup that goes into plenty of detail, mainly covering what we’ve already discussed:
What might be of interest in that article is that they’ve created a test website at curveballtest.com that is signed with a spoofed certificate and gives an indication of whether the system you’re using to access it is vulnerable or not. It also offers the opportunity to download a binary signed with a spoofed cert to see if that’s picked up, and offers some additional detail about how the various browsers behave when seeing spoofed certs.
I tried this on a patched system. Using Chrome the site reported “not vulnerable” and the download was blocked. Using Edge (old version not Chredge) the site reported “not vulnerable” but the download was permitted; however the file was immediately blocked and removed by Norton, classed as WS.reputation.1 malware. The article says that Windows Defender is also able to block this.
I already class the SANS Institute as trustworthy but you should do your own checks before accessing any links. Links given above actually come from the show notes for today’s (Friday) SANS Institute Internet Center Stormcast podcast if you want to check.