Pierluigi Paganini May 21, 2019

Sophos is warning users of potential problems with the recent Microsoft’s Patch Tuesday updates and is saying to roll back it if they want the PC to boot.

The security firm has informed its customers of potential problems with the latest Microsoft’s Patch Tuesday updates and is asking them to uninstall the patch if they want the machine to boot.

This means that the machine could be exposed to cyber attacks that leverage the vulnerabilities addressed by Microsoft, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

Sophos confirmed that the latest set of Windows updates are causing problems with the boot of computers running the popular Antivirus software.

“We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”” reads a note published by the company.

Experts believe the problems could be caused by the incompatibility with the KB4499164 and KB4499175 Microsoft Patches released on May 14, 2019.

According to Sophos, the problems have been reported by customers running Windows 7 and Windows Server 2008 R2.

The experts suggest to remove Windows update by booting the system in Safe mode.

“Current reports indicate that removing the Windows update in Safe Mode allows computers to boot as normal.” continues the note.

“If you experience issues removing this in Safe Mode please set the “Sophos Anti-Virus” Service startup to be “Disabled” and then attempt to remove the update after coming out of Safe Mode.”

Sophos is currently working with Microsoft to investigate the issue and develop a fix.

Microsoft Patch Tuesday updates for May 2019 also addressed a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. Microsoft pointed out that this vulnerability could be exploited by malware with wormable capabilities. It could be triggered by an unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The problem faced by Sophos customers could very annoying for large businesses that deployed the Microsoft updates. One user commenting on a blog post published by Sophos wrote the following statement:

“We had to roll back some 300+ machines for clients around the US.”

Affected users that are not able to boot their machine have to contact the company and open a ticket with the tech support team.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Sophos, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]