Microsoft released some critical patches today in its Patch Tuesday cadence addressing vulnerabilities in Windows 10 and Windows Server 2016/2019. (If you have Windows 7, well, you also have some work to do because that is end of life now.)
Krebs on Security broke this news earlier this week.
The security flaw in question is pretty gaping – it impacts authentication on Windows machines, the protection of sensitive information in Microsoft’s browsers Edge and Internet Explorer and other third-party connectors. A bad actor could capture and decrypt this traffic and gain access to users’ passwords or sensitive info from browsing, like banking credentials. Additionally, the flaw can be used to spoof digital signing certificates, meaning malicious software could be appear to be from trusted vendors like Microsoft.
If you’ve been in the industry for any length of time, you know that some Microsoft patches may react unfavorably with your environment. They may not play well with your specific systems or contain bugs that can cause outages.
We always recommend that you test these patches before you deploy them to production, and that you verify you have good, recent backups before you push to production.