Cybersecurity Threat Advisory: Microsoft Issues Emergency Updates

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

Advisory Overview

In response to critical bugs in its Patch Tuesday release for January 2022, Microsoft released several out-of-band (OOB) updates to its Windows Server updates. After initially pulling these updates for further review on January 13, Microsoft made them available to download again via Windows Update the next day. Now that these issues were  resolved, MCP recommends that all managed service providers (MSPs) download the January 2022 security updates and the emergency OOB patches to protect their critical servers.

What Is the Threat?

On January 17, 2022, Microsoft released emergency updates to fix issues related to virtual private network (VPN) connectivity, Windows Server domain controller restarts, virtual machine startup failures, and Resilient File System (ReFS)-formatted removable media that fails to mount. These issues were caused by the original Patch Tuesday updates to Windows Server.

According to Microsoft, these original updates addressed the following issues:

• Update KB5009624 patches an issue where Active Directory attributes are not written correctly during a Lightweight Directory Access Protocol (LDAP) modify operation with multiple specific attribute changes.
• Update KB5009557 contains miscellaneous security improvements to internal operating system (OS) functionality.
• Update KB5009555 addresses a known issue that affects Japanese Input Method Editors (IME). When a Japanese IME is used to enter text, the text might appear out of order, or the text cursor might move unexpectedly in applications that use the multibyte character set (MBCS). This issue affects Microsoft’s Japanese IME and third-party Japanese IMEs.

However, following installation, Windows Server administrators reported endless domain controller boot loops, Hyper-V startup issues, and the loss of access to ReFS file systems. In response, Microsoft removed the January Windows Server patches from Windows Update and reinstated them on January 14. Microsoft issued notifications that it was investigating these issues in the Windows Message Center before releasing necessary fixes on January 17.

Why Is It Noteworthy?

Microsoft products are used and trusted by thousands of individuals and businesses worldwide. In addition, Microsoft products and devices running Windows OS are integrated into businesses worldwide. As a result, it is difficult to estimate how many users may encounter unexpected errors as a result of these updates. However, as demonstrated by the scale of these updates, security researchers constantly are seeking and discovering new exploits on these products. It is crucial to keep these devices updated regularly, because these patches are developed specifically to prevent these vulnerabilities from being exploited.

What Is the Risk?

Microsoft’s Patch Tuesday releases usually address several vulnerabilities and exploits that could pose a significant threat to users. Many companies rely on sensitive data stored on their Windows devices and services remaining private. In many cases, these devices and services are business critical and are needed to conduct everyday business. Because the original Patch Tuesday release covers 97 common vulnerabilities and exposures (CVEs), it is critical to implement these patches as soon as possible now that the potential issues are resolved. The CVEs include a Windows certificate spoofing exploit, a privilege escalation vulnerability in Windows user profiles, and vulnerabilities that enable denial-of-service and remote-code-execution attacks

What Are the Recommendations?

Now that Microsoft has developed fixes for any critical issues related to its Patch Tuesday release, MCP highly recommends downloading these emergency security updates and OOB patches to protect critical systems from potential cyberattacks attempting to leverage these vulnerabilities.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-rollout-of-january-windows-server-updates/
• https://support.microsoft.com/en-us/topic/january-11-2022-kb5009624-monthly-rollup-23f4910b-6bdd-475c-bb4d-c0e961aff0bc
• https://support.microsoft.com/en-us/topic/january-11-2022-kb5009557-os-build-17763-2452-c3ee4073-1e7f-488b-86c9-d050672437ae
• https://support.microsoft.com/en-us/topic/january-11-2022-kb5009555-os-build-20348-469-e3fb2b38-3506-4dc9-8216-5d3546a6d2a4
• https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/

Mike Beagles is MCP's director of IT and cybersecurity services. He can be reached here.