Security News > 2022 > May > Microsoft patches the Patch Tuesday patch that broke authentication
Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.
Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.
Only affect authentication for some Windows services and protocols, namely Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol.
Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name.
In this case, keep in mind that the original security flaws that were fixed were considered Critical; that the errant patch didn't affected all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch was apparently another viable temporary fix.
Although it's easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that's the same distant past where there were hardly any security patches to start with.
News URL
Related news
- Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 74 flaws (source)
- Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- February 2024 Patch Tuesday forecast: Zero days are back and a new server too (source)
- Week in review: 10 must-read cybersecurity books, AnyDesk hack, Patch Tuesday forecast (source)
- March 2024 Patch Tuesday forecast: A popular framework updated (source)
- Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast (source)
- Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (source)
- March Patch Tuesday sees Hyper-V join the guest-host escape club (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-10 | CVE-2022-26931 | Unspecified vulnerability in Microsoft products Windows Kerberos Elevation of Privilege Vulnerability | 7.5 |
2022-05-10 | CVE-2022-26923 | Improper Certificate Validation vulnerability in Microsoft products Active Directory Domain Services Elevation of Privilege Vulnerability | 8.8 |