Skip to main content

Emergency Windows 10 update plugs a serious security hole

security
(Image credit: Shutterstock / binarydesign)

Microsoft has deployed an out-of-band Windows 10 update designed to remedy a security flaw affecting all supported versions of the operating system.

The update consists of a handful of different fixes, all of which are geared towards addressing issues with authentication protocol Kerberos that could allow an attacker to bypass security protections.

The fix was published for enterprise users running Windows 10 1809 earlier in the week, but has now arrived for versions 20H2, 2004, 1909, 1903 and 1607 as well.

Windows 10 update

According to a Microsoft support post, the Kerberos authentication issue was caused by a bug in a patch (for CVE-2020-17049) delivered this month as part of the company’s regular update schedule.

“After installing KB4586781 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues,” explained the firm.

“There are three registry setting values for PerformTicketSignature to control it, but in the current implementation you might encounter different issues with each setting.”

Setting the PerformTicketSignature value to 0 is said to cause authentication issues when using S4U scenarios (e.g. scheduled tasks/clustering), value 1 could bring about ticket renewal failures, while value 2 will cause problems in environments where not all DCs are updated.

Thankfully, these problems are exclusive to Windows Servers,  Windows 10 devices and applications running in enterprise environments, so everyday users need not worry in this instance.

Administrators, however, must install the latest out-of-band update (KB4594440) manually by searching for the package via the Microsoft Update Catalog; it is not available through the Windows Update service and will not be installed automatically.

Via MSPowerUser