Microsoft: enabling KB5028407's security patch could break something, but we won't tell you what
Microsoft released security patches for all supported versions of Windows on the June 2023 Patch Tuesday. One of the patches addresses a security issue in Windows Kernel. While Microsoft did ship the security patch as part of the cumulative update on Tuesday, it did not enable the particular mitigation.
Microsoft explains on a support page that an attacker does not need elevation or administrative privileges to run the attack, and that it could allow the attacker to "view heap memory from a privileged process that is running on the server".
Windows devices remain vulnerable to attacks targeting the issue if the patch is not enabled in the Registry by a system administrator. The issue affects all supported Windows 10 and 11 operating systems as well as Windows Server 2022.
Microsoft did not reveal why it decided against enabling the patch by default, as it would protect all devices against the potential attack.
We asked users to be cautious and either create a system backup before enabling the patch manually or wait some days before doing so. Microsoft must have a reason for releasing the patch in disabled state.
Microsoft has now added an addendum to the patch notes. System administrators who had hoped that Microsoft would provide a reason for not enabling the security mitigation by default will be disappointed though, as the company is still tight lipped about potential issues that may arise from enabling it.
Microsoft writes: "The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it. In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible."
In other words: enabling the mitigation may break something, but Microsoft won't tell its customers what it could be. Administrators need to find out by themselves therefore, which is a problem, as Microsoft does not give any hints what to look for. Administrators may spend hours evaluating systems to find potential breakage.
Microsoft plans to enable the patch by default in the future, but it has not provided a timeframe for doing so.
The original recommendation still stands because of Microsoft's refusal to provide vital information to system administrators. Create backups before enabling the Registry changes or wait until additional information becomes available.
Now you: have you enabled the Registry change on your device(s)?Advertisement