Security News > 2022 > May > Microsoft patches the Patch Tuesday patch that broke authentication
Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.
Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.
Only affect authentication for some Windows services and protocols, namely Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol.
Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name.
In this case, keep in mind that the original security flaws that were fixed were considered Critical; that the errant patch didn't affected all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch was apparently another viable temporary fix.
Although it's easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that's the same distant past where there were hardly any security patches to start with.
News URL
Related news
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- Microsoft fixes Entra ID authentication issue caused by DNS change (source)
- March 2025 Patch Tuesday forecast: A return to normalcy (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Week in review: Probing activity on Palo Alto Networks GlobalProtect portals, Patch Tuesday forecast (source)
- April's Patch Tuesday leaves unlucky Windows Hello users unable to login (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-10 | CVE-2022-26931 | Unspecified vulnerability in Microsoft products Windows Kerberos Elevation of Privilege Vulnerability | 0.0 |
| 2022-05-10 | CVE-2022-26923 | Improper Certificate Validation vulnerability in Microsoft products Active Directory Domain Services Elevation of Privilege Vulnerability | 0.0 |