Security News > 2022 > May > Microsoft patches the Patch Tuesday patch that broke authentication

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.

Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.

Only affect authentication for some Windows services and protocols, namely Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol.

Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name.

In this case, keep in mind that the original security flaws that were fixed were considered Critical; that the errant patch didn't affected all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch was apparently another viable temporary fix.

Although it's easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that's the same distant past where there were hardly any security patches to start with.

News URL

https://nakedsecurity.sophos.com/2022/05/20/microsoft-patches-the-patch-tuesday-patch-that-broke-authentication/