03/26 Update below. This post was originally published on March 23
Windows 10 and Windows 11 users, you need to take immediate action. A serious vulnerability has been discovered in both platforms which Microsoft has not only failed to patch, but made worse. Here’s everything you need to know.
A new report from BleepingComputer breaks down the problem. Tracked as CVE-2021-34484, it is a zero-day privilege escalation attack that allows hackers to take control of Windows 10, Windows 11 and Windows Server. And the shocker is Microsoft has known about it for seven months.
03/25 Update: More trouble for Windows users after Microsoft confirmed that updates it released for Windows Server in January have been found to be the cause of DNS failures causing impacted systems to lose internet connectivity.
“After installing updates released January 25, 2022 (KB5009616) and later on affected versions of Windows Server running the DNS Server role, DNS stub zones might not load correctly, which might cause DNS name resolution to fail,” Microsoft admitted in an official statement.
The company also confirmed that two further updates KB5010427 (02/15/22) and KB5011551 (03/22/22) can cause these problems. Microsoft has released a preventative fix but states that it cannot fix impacted computers without owners manually applying the fix. Microsoft offered an install guide for this and has provided two download links (1,2) for the patches.
As noted by BleepingComputer, Microsoft’s recent updates have caused a truckload of problems for Windows users. These include Bluetooth causing Windows blue screens, LSASS crashes, Netlogon issues, and a Windows Active Directory bug. Microsoft has released multiple ‘out-of-band’ (OOB) emergency patches to combat these problems. Something needs to change.
03/26 Update: A serious new blow has been dealt to Microsoft’s reputation following allegations that the company is spending hundreds of millions of dollars in foreign bribes. These bribes are alleged to be worth more than $200M/year and the whistleblower, Yasser Elabd, a former Microsoft employee who spent over 20 years with the company, claims he was hounded out of Microsoft by senior management when he attempted to draw attention to what was going on.
“Examining an audit of several partners conducted by PricewaterhouseCoopers, I discovered that when agreeing to terms of sale for a product or contract, a Microsoft executive or salesperson would propose a side agreement with the partner and the decision maker at the entity making the purchase,” explains Elabd. “This decision maker on the customer side would send an email to Microsoft requesting a discount, which would be granted, but the end customer would pay the full fee anyway. The amount of the discount would then be distributed among the parties in cahoots: the Microsoft employee(s) involved in the scheme, the partner, and the decision maker at the purchasing entity—often a government official.”
Elabd cites some stunning examples of this. $33.6M of money missing from deals with the Saudi Ministry of the Interior and Kuwait, $5.5M in Nigeria “for hardware they did not possess” and “Qatar’s Ministry of Education was paying $9.5 million annually over seven years for Microsoft Office and Windows licenses they weren’t using.” Elabd also claims that “Another common practice revolved around creating fake purchase orders, which sales managers presumably used to increase their compensation.”
“Experience leads me to believe that 60–70 percent of the company’s salespeople and managers in the Middle East, Africa, and parts of Europe are receiving these payments,” he states. “To anyone who has been following Microsoft closely, this won’t come as a shock… What is a shock: This time around, the SEC and DOJ have both declined to investigate Microsoft over the same types of bribes in the Middle East and Africa.”
Microsoft has yet to respond to Elabd’s allegations. With all eyes on the company at present, what happens next is likely to have a major impact on Microsoft’s reputation.
In Microsoft’s defense, the company has issued two patches to try and address the flaw but both have failed. The second attempt was particularly bad because it also broke a successful third-party fix from independent security group 0patch (pronounced ‘Zero Patch’) which was issued in November. Ironically, older unsupported versions of Windows 10 (1803, 1809 and 2004) are safest because Microsoft didn’t release its second ‘fix’ for those editions.
In response, Microsoft issued a statement to BleepingComputer acknowledging the flaw but offering no timeline for a fix, simply saying: “We’re aware of this report and will take action as needed to protect customers.” It is worth pointing out this statement is word-for-word identical to one the company issued after releasing two more botched patches for different flaws late last year.
The good news is 0patch has stepped in again. The group has issued a new ‘micro-patch’ which is free to download and compatible with the latest versions of Windows 10, Windows 11 and Windows Server. To get it, create a free account in 0patch Central and install 0patch Agent.
That said, the whole saga leaves a bitter taste in the mouth. There is a nasty sense of déjà vu in this latest episode with security researcher Abdelhamid Naceri, who discovered the flaws in several of these patches, previously commenting: “So you better wait and see how Microsoft will screw the patch again.” And here we are again.
Should you quit Windows? That’s a personal decision for every user and tied to individual circumstances. That said, with the performance of Apple silicon blowing away the vast majority of Windows PCs, there has never been a more tempting time to do so.