Microsoft Issues Serious Windows 10, Windows 11 Upgrade Warning – Forbes

01/14 Update below. This post was originally published on November 12

Windows users around the world need to be on high alert today because Microsoft has confirmed serious new vulnerabilities in Windows 10, Windows 11 and more. 

MORE FROM FORBESMicrosoft Reveals Critical New Security Flaws In Windows 7 To 11

Breaking down the contents of its January 2022 ‘Patch Tuesday’, Microsoft revealed it has discovered an eye-watering 97 new security vulnerabilities in its operating systems. Six of these have been classified as ‘zero day’ which means they are out in the wild and were known to hackers before Microsoft could respond. All versions of Windows are affected, including Windows 7, Windows 8, Windows 10 and Windows 11 as well as Windows Server 2019 and 2022. 

01/14 Update: Red alert for users upgrading to this monster update. BleepingComputer reports that it is breaking L2TP VPN connections on both Windows 10 and Windows 11. as well as causing critical bugs on Windows Server 2019 and Windows Server 2022. Microsoft has already pulled the update for both Windows Server editions, where BleepingComputer explains that “critical bugs caused domain controllers to reboot, Hyper-V to not work, and ReFS volume systems to become unavailable.” Hyper-V creates virtual machines while ReFS is Microsoft’s new file system and is used on all modern versions of Windows. Microsoft has yet to pull the update for Windows 10 and Windows 11, but concerns will be growing. For Windows Server users, there is currently no timeframe for the January patch to be reissued. Considering the number of important fixes and protections, including no fewer than six zero-day exploits, there will be considerable pressure on Microsoft to get the mega-cumulative update back out. That said, there could still be more disruption to come for Windows 10 and Windows 11 users.

Microsoft has a poor record with Windows updates lately, having botched not one but two zero-day patches in recent months. As security researcher Abdelhamid Naceri, who discovered one of the failed patches, warned users last month: “you better wait and see how Microsoft will screw the patch again.” Well here we go again.

To buy Windows users time, Microsoft is currently restricting information about the 97 new exploits but it has disclosed where its platforms are newly vulnerable. Focusing on the six zero-day threats, Microsoft has rated five as having an ‘Important’ severity level with another listed as ‘Critical’:

  • Critical – CVE-2021-22947 – Open Source Curl Remote Code Execution Vulnerability
  • Important – CVE-2021-36976 – Libarchive Remote Code Execution Vulnerability
  • Important – CVE-2022-21919 – Windows User Profile Service Elevation of Privilege Vulnerability
  • Important – CVE-2022-21836 – Windows Certificate Spoofing Vulnerability
  • Important – CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability
  • Important – CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability (limited to Windows 10 and Windows Server 2019)

The good news is Microsoft says it is unaware of any of these zero-day hacks being actively exploited by hackers at this stage. That said, this could change at any time and the company lists a further eight of the 97 exploits it discovered as ‘Critical’ and 88 as ‘Important’. So the warning to Windows users could not be clearer. 

What You Need To Do

Microsoft has started to roll out its January 2022 Patch Tuesday to all Windows users so, if you have paused Windows updates for any reason, you should resume them right now. The roll out will reach different users at different times, but if you want to trigger Windows to manually check for them navigate to: Settings > Windows Update > Check For Updates.

Windows patches have hit the headlines for the wrong reasons in recent months after Microsoft botched not one, but two zero-day patches. This led to security researcher Abdelhamid Naceri, who discovered one of the failed patches, sarcastically warning users: “you better wait and see how Microsoft will screw the patch again.” Third-party security group 0patch (‘Zero Patch’) also had to step in twice with emergency fixes while Microsoft struggled to provide official fixes. 

So Windows users need not only to react swiftly to the latest threats, they need to hope Microsoft has learned from recent mistakes

More On Forbes

Emergency Patch Released For Botched Windows 10, Windows 11 Security Update

Failed Microsoft Patch Leaves All Windows Versions Open To Zero-Day Hack

Total
0
Shares
Leave a Reply

Your email address will not be published.

Previous Post

Permanent remote working desired by most software engineers, as Apple sticks to two-day plan – 9to5Mac

Next Post

Remote Work Is Here to Stay: Are You Ready? – TheHRDigest

Related Posts