Microsoft: enabling KB5028407's security patch could break something, but we won't tell you what
Microsoft released security patches for all supported versions of Windows on the June 2023 Patch Tuesday. One of the patches addresses a security issue in Windows Kernel. While Microsoft did ship the security patch as part of the cumulative update on Tuesday, it did not enable the particular mitigation.
Microsoft explains on a support page that an attacker does not need elevation or administrative privileges to run the attack, and that it could allow the attacker to "view heap memory from a privileged process that is running on the server".
Windows devices remain vulnerable to attacks targeting the issue if the patch is not enabled in the Registry by a system administrator. The issue affects all supported Windows 10 and 11 operating systems as well as Windows Server 2022.
Microsoft did not reveal why it decided against enabling the patch by default, as it would protect all devices against the potential attack.
We asked users to be cautious and either create a system backup before enabling the patch manually or wait some days before doing so. Microsoft must have a reason for releasing the patch in disabled state.
Microsoft has now added an addendum to the patch notes. System administrators who had hoped that Microsoft would provide a reason for not enabling the security mitigation by default will be disappointed though, as the company is still tight lipped about potential issues that may arise from enabling it.
Microsoft writes: "The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it. In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible."
In other words: enabling the mitigation may break something, but Microsoft won't tell its customers what it could be. Administrators need to find out by themselves therefore, which is a problem, as Microsoft does not give any hints what to look for. Administrators may spend hours evaluating systems to find potential breakage.
Microsoft plans to enable the patch by default in the future, but it has not provided a timeframe for doing so.
The original recommendation still stands because of Microsoft's refusal to provide vital information to system administrators. Create backups before enabling the Registry changes or wait until additional information becomes available.
Now you: have you enabled the Registry change on your device(s)?
It has taken them 10 years (starting from windows 8) to refresh the control panel, a thing that wasn’t broken. Sorry, I mean 40% of the control panel. What do you expect a trillion company to be able to do? Being able to fix a security bug within a month? /s
The end of microshite and all the different versions of their ‘Control Systems’ is the best thing that could ever happen and if i did, It couldn’t come soon enough.
It is evident that MS has been infiltrated in recent years by people who hate Windows and want the OS to end. They have been doing hard work to destroy Windows NT.
Spectre and meltdown its back
I don’t understand why so bad comments about this unabled by default patch. Here four computers with the patch enabled with *.reg file as I posted above and zero problems neither none issue.
The moral of this story is to get far away from the Windows ecosystem if at all possible.
It’s nice to be retired. Screw Microsoft.
For those who would reply “But I need .xyz….; I did say “if at all possible”. I keep a copy on a separate hard drive, and boot it once a year to do my taxes. The interactive pdf’s only work with Adobe Reader.
Leave it alone, I say.
A couple of PowerShell scripts work:
https://github.com/ajf8729/Toolbox/tree/main/ConfigMgr/DCM/CVE-2023-32019%20-%20KB5028407
Problem for admins–
Rule #1 – System Security takes precedence.
Rule #2 – Absolute stability for users and productive capacity.
What an option–If I enable the silly patch, the entire system stability is jeopardized and users are texting, emailing, calling, yelling, screaming on Monday morning. If I don’t and security is compromised, then . . . well . . . end of story.
Long vacation in the south of France.
@VioletMoon > “Long vacation in the south of France.”
I still remember the unforgettable moments with my deceased grandfather at L’Espiguette beach of Montpellier, years 2001/02/03. Nice and kind people there, and the best bread I have ever tasted. For sure one of the best places that I have enjoyed. We would like this summer to go to the La Guérite beach at the North of France, however it’s a long journey indeed from home. :S
is this the thing from a months ago that ms said will take a year to fix completely in multiple steps?
secure boot?
https://arstechnica.com/information-technology/2023/05/microsoft-patches-secure-boot-flaw-but-wont-enable-fix-by-default-until-early-2024/
guess not… a different long arse fix.
And Intel company nothing speeches about that in their latest security bulletins, if this vulnerability fix with microcode of them or/for Microsoft
I just enabled it and now my phone beeped. Coincidence????
We all know the “patch” will force you to create a Microsoft account to be able to use your computer. Sorry, I of course meant Microsofts computer that you are allowed to use as they see fit.
>have you enabled the Registry change on your device(s)?
No, because I don’t know what to change or where.
A friend of mine enabled the patch days ago and nothing wrong by now. However other friend of mine received a notification problem with fTPM even with no patch application. So a must see!
I have enabled it hours ago and everything is working fine here. Printers included, LOL.
Here there is the content for some *.reg files to apply the fix not enabled for the kernel exploit for Windows 10 versions 1607, 1809, 20H2, 21H2 and 22H2, Windows 11 version 21H2 and 22H2, and Windows Server 2022 (KB5028407):
For Windows 11 22H2:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides]
“4237806220”=dword:00000001
For Windows 11 21H2:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides]
“4204251788”=dword:00000001
For Windows 10 20H2, 21H2, 22H2:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides]
“4103588492”=dword:00000001
For Windows Server 2022:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides]
“4137142924”=dword:00000001
For Windows 10 1607, 1809:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager]
“LazyRetryOnCommitFailure”=dword:00000000
On my laptop (Win10 22H2), I can’t see any track of KB5028407, and I don’t know if it were actually part of June 23 Windows update.
Moreover, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides doesn’t exist (while it’s there I would be supposed to create a DWORD value named 4103588492 to activate the patch).
Actually there is nothing in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies, and Msoft’s doc doesnt’ say to create subkeys Microsoft\FeatureManagement\Overrides, but only to create a value inside this subkey….
Strange. Error in Msoft’s doc ?
In the mean time, I won’t do anything !
So
You need to create the keys in the Registry if they do not exist. The instructions are lacking, that is for sure.