Security News > 2022 > May > Microsoft patches the Patch Tuesday patch that broke authentication

Microsoft patches the Patch Tuesday patch that broke authentication
2022-05-20 22:35

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.

Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.

Only affect authentication for some Windows services and protocols, namely Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol.

Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name.

In this case, keep in mind that the original security flaws that were fixed were considered Critical; that the errant patch didn't affected all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch was apparently another viable temporary fix.

Although it's easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that's the same distant past where there were hardly any security patches to start with.


News URL

https://nakedsecurity.sophos.com/2022/05/20/microsoft-patches-the-patch-tuesday-patch-that-broke-authentication/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-10 CVE-2022-26931 Unspecified vulnerability in Microsoft products
Windows Kerberos Elevation of Privilege Vulnerability
0.0
2022-05-10 CVE-2022-26923 Improper Certificate Validation vulnerability in Microsoft products
Active Directory Domain Services Elevation of Privilege Vulnerability
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399