Pause Patch Tuesday updates, watch out for Exchange server attacks
- 09 March, 2021 10:00
With the arrival of Patch Tuesday for March, it’s time for me to urge you to again review how you handle updates from Microsoft — and hold off a bit before installing anything. By waiting a week or two, any earth-shattering side effects can be identified and workarounds found.
I give the same advice for the feature-release process. I normally wait until the next release is ready before I install the current one; it’s served me well to protect against side effects triggered by bad updates.
So, before Microsoft’s patches arrive, here’s what to do: click on Start, go to Settings, then Update and security, Windows update, and look for Advanced options.
Scroll down to the section that says, “Pause until” and pull down the “select date” to choose a specific date for dealing with updates. It should be at least a week after Patch Tuesday to give us time to deal with any issues. I personally patch on weekends when I have more time to handle any side effects. I recommend something like March 27 as a good date to choose. By then, we will have identified any issues.
While most enterprises skip releases and only do them once a year (or longer), I find that my own machines ultimately patch better — and with fewer issues — if I keep to this delayed feature release installation process without completely skipping a release. Installing a feature release also refreshes the Windows updating components, which can fix quite a few update issues.
Case in point: I had a misbehaving workstation that threw off a Windows updating error and no amount of sfc/scannow or DISM commands would fix the underlying corruption causing the problem.
I had two choices: An in-place upgrade over the top, or — since I was one version behind on the feature release — I could opt to use the Windows 10 software download page to fix the issue. I clicked on “Update now” and had the system upgrade itself to Windows 10 20H2, fixing the problem. I also got a machine that has refreshed Windows updating components ready to tackle future updates.
Early on, installing these feature updates would reset printers, affect video, and, in general, make for a stressful time. But Microsoft apparently heard from enterprises that change for change’s sake is not acceptable and made these releases relatively trouble-free.
That said, if you still run Windows 10 1909 on hardware with a Conexant audio driver, Microsoft is still unable to provide an automatic fix that lets you to move to either Win 10 2004 or 20H2. If you’re in this boat, click on the Search box and type in “device manager.” Find the sound driver section and click on the > to expand the selections.
Now, find the Conexant sound driver and right mouse click to uninstall it. Don’t panic, once the feature release is installed it will put a proper driver back for your system. With the driver removed, go to the Windows 10 software download page and click the button to “update now” to install 20H2.
If you are on 1909, the process may take some time — especially if you don’t have an SSD drive. But once the install is complete, your system will automatically pick up the Conexant audio driver and be none the worse for wear.
Now that I’m urging everyone to move to 20H2, I also want you to set the targetreleaseversion to 20H2. I recommend that you use the registry key method to keep your Windows 10 machine on 20H2 until you are ready to move to 21H1. While 21H1 won’t be a large release, it’s still wise to avoid any potential blocking events that could impact your computer. As soon as it’s released, I’ll report on any issues.
... about those Exchange attacks
While it’s smart for users to hold off on updating, it wasn’t so wise to hold back on business patching last week. Microsoft’s on-premises email server, Microsoft Exchange, was hit by attacks. If you are a small business that still has an on-prem email server, you may have a big problem on your hands.
First, if you are running the out-of-date Small Business Server 2011, which includes Exchange 2010, there’s good news: that older platform doesn’t suffer from the vulnerabilities affecting Exchange 2013, 2016 and 2019. Microsoft released an out-of-band update for that platform on March 2, while attackers are actively going after those newer Exchange platforms.
They all suffered from a vulnerability where attackers could — without authenticating on the machine — take over the system and possibly gain total access. Because most Microsoft mail servers set up Outlook Web Access over a web port (port 443) many servers were open to these attacks.
Microsoft originally said the attacks were targeted, not widespread. Whenever I see that, I translate it to mean that “only large enterprises are getting targeted attacks and I have time to watch for side effects before installing updates.” Well, the attackers soon went from targeted attacks to broadly going after anyone running an Exchange server.
Bottom line: if you are a small business owner who uses email and you have outsourced your IT operations, make sure to reach out to them and ask whether they need to review your mail server for possible intrusion. You may have to authorise your consultant to rebuild your mail server and change every password used on your systems to ensure that the attackers can’t gain access.
To be clear, this only impacts businesses still hosting email on a standalone server, not email hosted on the cloud using Microsoft 365. If you are at all unsure, double-check to make sure you haven’t been impacted. Between the SolarWinds breach and now Exchange-gate, this has not been a banner year in security for businesses using Microsoft products.