In a blog post, Microsoft said it made the update after realizing that once users installed the updates released Jan. 11 or later, the AD information might fail, close or sys admins could receive an error from an application or Windows. It was also possible to receive an access violation error (0xc0000005).
These out-of-band updates are not available from Windows Update and will not install automatically. Microsoft said security pros interested in the standalone package should search for the Knowledge Base (KB) number for their version of Windows and .NET Framework in the Microsoft Update Catalog. They can then manually import the updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
Sometimes patches cause collateral damage, said John Bambenek, principal threat hunter at Netenrich. Bambenek said it’s often difficult to test all the possible impacts of a patch, especially when it involves an API where custom code may be running and Microsoft may have very little visibility into how it’s being used. “Releasing this as an out-of-band patch means developers and IT admins will have to go out of their way to know that the patch exists and to deploy it,” Bambenek said.
Johnny Martinelli, director of cybersecurity training at GRIMM, said while this bugfix update is only tangentially related to a more security-minded patch, the cybersecurity implications of the recently buggy Patch Tuesday are real. Martinelli said cybersecurity experts who have been fighting the IT department vs. cybersecurity department battle for long enough know one of many truths: systems administrators favor availability over security.
“Regularly issuing patches (security or otherwise) that have not been thoroughly tested for stability, as we saw in January, will very quickly erode systems administrators’ trust in these patches, causing them to hold off until other companies have tried them out in the field and reported back any problems,” said Martinelli. “This means there will be a very wide swath of time, perhaps even weeks, where security issues are made known and proof-of-concept exploit code is released to the public, yet sysadmins will choose to not patch due to instability fears. This limbo period can quickly become a playground of low-hanging, exploitable fruit, and enterprises that are discovered to subscribe to this 'n-1' security patching practice may even find themselves labeled as easy targets who are prioritized for attack each month on Patch Tuesday.”
Tyler Shields, CMO at JupiterOne, said security pros typically refer to Active Directory as the “keys to the kingdom.”
“Targeting the system that holds account authorization and authentication data can result in massive compromise of an organization,” Shields said. “It's one of the most commonly-deployed account management systems and must be kept secure and up-to-date at all times.”