INTRODUCTION TO INFORMATION TECHNOLOGY

Microsoft's February security updates, released last week, came with plenty of technical bumps.

Microsoft reported issues with Secure Boot and Windows Server Container images after its Feb. 11 security
updates got applied. User profile problems and shutdown glitches also reportedly befuddled Windows users.

Secure Boot Patch Pulled

One of those bumps was standalone security update KB4524244 for a Secure Boot issue on Unified
Extensible Firmware Interface (UEFI) Windows 10 and Windows Server machines associated with SQL
Server. Microsoft recently pulled that security update, according to a Feb. 17 updated blog post.

A "subset of devices" were affected by the botched Secure Boot update, Microsoft indicated. The
KB4524244 patch was supposed to have addressed a security issue associated with "a third-party" UEFI
boot manager in Windows 10 machines, according to Microsoft.

"We are working on an improved version of this update in coordination with our partners and will release it
in a future update," Microsoft tersely indicated in its Knowledge Base article.

The "third-party" term means a vendor besides Microsoft. The vendor in this case wasn't described.
However, Microsoft's patch was designed to address a problem in a product made by software security
company Kaspersky.

To hear Kaspersky tell it, Microsoft's KB4524244 patch addressed a problem in the Kaspersky Rescue
Disk, which is used to clean unbootable and infected systems. This product had a flaw, disclosed in April
and fixed later in August, that permitted an untrusted custom operating system to run on Secure Boot-
protected machines. Secure Boot is a UEFI feature that's supposed to protect against such vulnerabilities,
including so-called "bootloaders" or "rootkits" that load before the operating system runs, typically going
undetected by anti-virus software.

Kaspersky, though, denied that it had any responsibility for Microsoft's botched KB4524244 patch.

"After detailed internal analysis, our experts concluded that Kaspersky products have not been a cause of this
issue," Kaspersky explained.

The organizations with potential problems from this patch are the ones that installed the KB4524244 patch,
according to Microsoft's updated Knowledge Base article. It can cause the "Reset This PC" feature on
Windows 10 systems to fail. Microsoft recommended uninstalling KB4524244 in such cases, and restarting
the device.

Kaspersky offered different advice. If KB4524244 is correctly installed, "you don't need to remove the
update," according to Kaspersky. If KB4524244 wasn't installed, or if it gets uninstalled, then here was
Kaspersky's advice:

Vulnerable bootloaders might remain bootable on your system. You will need to install
the modified update once it is released by Microsoft.

In the interim, before that modified update arrives, Kaspersky advised a few mitigations, namely:

 Lock down the boot order.

 Protect the BIOS with a password.
 Put seals on device cover screws.

Standalone updates have to be manually downloaded from the Microsoft Update Catalog and installed using
the Windows Update Standalone Installer, so it's possible that most IT shops hadn't applied the
KB4524244 fix. In that case, they are stuck waiting for a new fix from Microsoft, although they could follow
Kaspersky's mitigation steps in the meantime.

Possibly the oddest thing about this mishap is that it's deemed necessary to update the Secure Boot
configuration at all.

By Mohamad Haekal bin Azlan & Farid

INTRODUCTION TO INFORMATION TECHNOLOGY

"While updates to the Secure Boot configuration are rare, they are important to protect the integrity of the
pre-OS boot process," Microsoft explained. It added that "you normally wouldn't even notice that the Secure
Boot configuration has been updated" but for the involvement of the Host Guardian Service for shielded
virtual machines, which checks Trusted Platform Module attestation.

Microsoft Pulls Another UEFI Patch

Microsoft also pulled its February patch KB4502496 for Windows 10, Windows 8.1, Windows RT 8.1 and
Windows Server 2012/R2 that was designed to fix a UEFI firmware vulnerability, as noted by a Born's
Tech and Windows World post.

Like KB4524244, this patch was another standalone security update. Microsoft recommended uninstalling
KB4502496, and is working on a future "improved version" with its partners. No other mitigation steps were
described.

S QLS server Reporting Services Exploit?

Microsoft had issued an "Important" February patch for a remote code
execution vulnerability in SQL Server Reporting Services, as described in CVE-
2020-0618. That bulletin, at press time, still described the vulnerability as not
publicly disclosed or exploited.

However, security researcher Kevin Beaumont wrote in a Feb. 18 Twitter post that

an exploit for CVE-2020-0618 now exists. He described it as "a big enterprise
vulnerability." with a CVSS score of 9.7. He added that it affects "SQL Server 2012+"
machines, but "appears to also impact SQL Server 2008."

Windows Server Container Images

Microsoft addressed a Windows Server 2016 image performance issue via a February
patch, as described in KB4540981. However, it has a known issue associated with
Windows Server Container images, as described in KB4542617.

The issue included the "Docker run" command not producing output and containers
in Kubernetes not running. Applications running in the container "might silently fail,"
as well.

KB4542617 offers some painful mitigation steps to follow if the February security
update for the container images was pulled and either containers aren't running or
applications are silently failing. Also, the issue apparently affects newer Windows
Server operating systems besides just Windows Server 2016, per the KB4542617
bulletin.

Other February Patch Problems

Born's Tech and Windows World included descriptions of other problems said to come from Microsoft's
February patches. It described user profiles getting killed by KB4537821. Additionally, there's apparently
a shutdown permissions glitch that affects Windows 7 users, as well as possibly Windows 10 users, but it
may be associated with an Adobe Genuine update.

By Mohamad Haekal bin Azlan & Farid