Microsoft regularly releases software patches to add new features, fix bugs, improve efficiency, and remediate security vulnerabilities. In the technology industry, Microsoft has formalized this as Patch Tuesday, that many organizations and IT professionals alike have come to dread. New patches fix critical security vulnerabilities and bugs, roll out amazing new features, but may cause systems and services to break if the patch is implemented without understanding the changes and taking time to configure systems accordingly. Long over-night shifts and weekend hours of hair-pulling occasionally occur when after patch cycles as a result. Mission-critical system downtime is a nightmare for any organization, and unacceptable due to a loss in revenue and costs to recover.
Ransomware has been the hot topic in recent year, the largest ransomware attack ever, WannaCry propagated networks all over the globe largely due to a missing patch. Falling victim to a breach due to an out-of-date system when Windows report “You’re Up to Date” would be frustrating and devastating. On numerous engagements Packetlabs has successfully exploited systems only for the IT staff to scratch their heads saying “but Windows said I’m up to date?” Over the years, the Windows operating system has had its share of blunders like any software that may have you believing your systems are up to date.
In the Windows Update panel clicking on “Check for Updates” may indicate you are up to date, but a lot going on under the hood of the operating system that causes a false sense of security. There are multiple root causes of why Windows updates are not working, and the below will detail some of the quirky and common reasons for failing updates.
First up is a case in 2018 where Windows computers could not update if Windows Defender anti-virus was not running, considering many organizations employ third-party endpoint protection software this impacted many organizations, the fix was either enable Windows Defender, or manually add a registry key to the affected systems.
Has your organization recently upgraded to Windows 10? It may come as a surprise that your system may not be receiving feature updates for 31 days. This is because Windows keeps a backup of the old operating system and does not update as a safety precaution in the event a system needs to be reverted. Additionally, if Windows updates are set to “Defer Updates” to prevent unnecessary reboots and downloading of updates at inconvenient times feature updates will not be installed. “Defer Updates” needs to be disabled to receive the latest updates.
Systems that are behind several patch cycles may experience issues with false claims of being up to date. Often when patches are downloaded Windows will install the update and system will need to be restarted for the update to finish. However, upon restarting, the update finishes the installation and you may click on “Check for Updates” where the system reports the computer is up to date, when it is not. This may occur for various reasons, typically rebooting the problem computer or waiting a period of time before checking for updates again resolves this issue.
Additional issues may occur when WSUS servers are used, WSUS downloads patches to provide clients in the environment a central location to download patches. This greatly speeds up the updating process and reduces the load on network connections. WSUS can also identify systems missing patches.
WSUS can report that updates are needed, while the operating system reports that it is up to date when “Check for Updates” is clicked. WSUS waits for computers to check-in and download updates, it does not push updates to hosts, additionally if a machine isn’t updating from WSUS it might not be updating at all. WSUS can apply patches based on groups, and if groups are not correctly configured, client systems may not receive updates, and report as up to date. Additionally, if WSUS has not completed downloading updates, the client will report as up to date.
Organizations with a mature security posture, or who are striving to improve security implement a patch management or vulnerability management program. A vulnerability management solution involves performing regular scans of environments to identify systems missing patches and lacking secure configurations. Vulnerability management can prioritize patching and configuration changes based on the security-risk, impact, and likelihood of exploitation, missing patches can be applied as required, configuration changes performed to lock down systems.
Vulnerability scanners are able to perform authenticated scans of both Windows and Linux systems. In the case of Window systems, the scanners are able to determine precisely which patches have been applied and which are missing, without relying on the Windows Update Service. This is accomplished using various techniques such as scanning Registry keys, and examining important system files. This greatly improves the accuracy and scrutiny of the systems in question.
If you or your IT staff spend time scratching heads to understand the security implications of the latest patches at Packetlabs, we offer penetration testing and vulnerability management services. These services help organizations identify and prioritize areas of weakness and help keep organizations stay ahead of the attacks. Please contact us today or schedule a meeting for more information.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.