Security News > 2022 > May > Microsoft patches the Patch Tuesday patch that broke authentication
Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.
Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.
Only affect authentication for some Windows services and protocols, namely Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol.
Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name.
In this case, keep in mind that the original security flaws that were fixed were considered Critical; that the errant patch didn't affected all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch was apparently another viable temporary fix.
Although it's easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that's the same distant past where there were hardly any security patches to start with.
News URL
Related news
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- November 2024 Patch Tuesday forecast: New servers arrive early (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- December 2024 Patch Tuesday forecast: The secure future initiative impact (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-10 | CVE-2022-26931 | Unspecified vulnerability in Microsoft products Windows Kerberos Elevation of Privilege Vulnerability | 0.0 |
2022-05-10 | CVE-2022-26923 | Improper Certificate Validation vulnerability in Microsoft products Active Directory Domain Services Elevation of Privilege Vulnerability | 0.0 |