Technical Support: 412-349-6678 | Incident Response

What to do when patches don’t work as intended

When patches don't work as intended - security patch

When software providers send their monthly updates to address vulnerabilities, you justifiably jump to test and implement the patches.

However, this doesn’t mean that all patches work as intended, or without consequences.

No matter the update, you always need to be alert of how these patches affect your systems.

And, because vulnerabilities rarely are discovered on a schedule, you always need to stay current on irregularly released patches, and quickly implement workarounds for any issues.

These examples of patches-gone-bad serve as proof that you always need be on the lookout for problems.

Microsoft Issues Patches and Workaround

When printing to network printers, you might suddenly experience 0x0000011b errors. 

Why? 

The Windows Print Spooler Spoofing Vulnerability security update went into full effect this month.

Although a patch was issued in January, it didn’t actually fix the problem. That is, unless administrators added a registry key that was automatically enabled with the September 14th update – which now causes the errors.

Many small businesses and home networks now experience the error because the patch requires the use of Kerberos on a Windows domain. Although your machines may be protected against critical vulnerabilities, the sudden disruption of printing is incredibly frustrating.

To make matters worse, the available workarounds either require a full roll-back of the security update, or working with Windows Registry Editor to turn off the patch.

If you need to disable the patch so you can print, be sure to implement additional protection to secure your devices against actively exploited attacks.

Faulty Apple Patch

Apple recently patched a critical zero-day vulnerability that could silently launch malicious code without any user interaction. 

And in the process, they also patched an unannounced zero-day flaw with similar capabilities. Unfortunately, they didn’t fully address the problem.

For the macOS, Apple blocked the “file://” prefix, but the patch appears to be case-matching. In other words, a “fiLe://” and other mangled versions remain unblocked.

At this time, there is no available workaround, because the issue lies within the macOS Finder function. This function provides the default interface and file launcher for the operating system.

Alarmingly, none of the antimalware engines on VirusTotal appear to be addressing this issue. As a result, there’s every reason to believe attackers will be quick to exploit it.

Until the vulnerability is fixed by Apple, macOS users need to be extremely careful when opening any email attachments. It’s possible to scan the attachments for malicious code outside of the macOS, but you’ll probably need the help of an IT expert to do it safely.

Urgent VMware Patch

If you’re running VMware vCenter and exposed to the internet, you need to apply the most recent patches for the CVE-2021-22005 vulnerability right away.

How urgent is it, you’re wondering? Well, within mere hours of the patch release, threat actors were already detected scanning for unpatched servers.

Not only that, but the flaw earned a 9.8/10 severity rating, since attackers can execute commands or access the content of the entire server.

If you can’t patch it immediately, you can either sever internet accessibility or edit a text file on the virtual appliance.

However, know that this then requires a manual or scripted restart to block the exploit.

Apple update security flaw - man using iPhone
Recent Apple security flaw requires this immediate update - click the image to read more

Consequences of Late Patches

Despite the danger of a poorly executed patch, the consequences of ignoring patching are much greater and last much longer. 

For example, antivirus researchers detected the “SparrowDoor” malware installed on servers using the ProxyLogon remote code execution, which was patched much earlier this year.

The new malware can perform a host of admin tasks, such as creating directories, exfiltration, establish an interactive reverse shell, or even delete itself.

This malware was likely installed on unpatched Windows Exchange Servers, and remained undetected once the servers were patched.

This sophisticated malware provides the attackers with a continuous backdoor, allowing them to maintain a presence on your servers.

Because it targeted hotels and governments worldwide, researchers believe the purpose of the malware was to conduct espionage, 

If you use on-site Microsoft Exchange servers, you need to examine the processes used to install SparrowDoor, and check your servers for any signs of compromise.

Bringing It Together

Usually, you perform verification on patches prior to installation.

This process catches most patches that might introduce critical failures after the update.

However, there will always be certain setups or software that just don’t respond well to patches, or patches that don’t fully correct the problem.

For these exceptions or faulty patches, workarounds should be implemented promptly, and then tested to ensure everything’s working correctly.

However, knowing what to look for isn’t always easy – let alone fixing problems that pop up along the way.

If you’re unsure of how to resolve any issues that you’re facing, it’s a good idea to call for expert IT assistance.

Fill out the form below or call Ideal Integrations at 412-349-6680 for a free consultation, or to ask us questions about our patching services, how we verify patches, or for help implementing workarounds.

We would also be happy to discuss penetration testing and our other services that verify and continuously monitor IT security.

Need a Managed IT Solution For Your Organization? Contact Us!

  • This field is for validation purposes and should be left unchanged.