Uh oh! Here comes the first bug in the Windows 8.1 Update

Fortunately, it only affects Windows Server Update Services customers


Microsoft has suspended distribution of April's Windows 8.1 Update to some enterprise customers after a bug was discovered that could bork affected machines' ability to receive future updates.

The issue affects businesses that distribute software updates via Windows Server Update Services (WSUS) 3.0 Service Pack 2, which shipped with Windows Server 2008 R2 but can also be used with earlier versions of Windows Server.

After installing the Windows 8.1 Update, affected PCs will try to contact their WSUS servers using the TLS 1.2 secure communications protocol. But because TLS 1.2 support is not enabled on WSUS 3.0 SP2 by default – that version defaults to the older SSL protocol – in many cases these attempts will fail, and the PCs will no longer be able to receive future software updates.

This unfortunate side effect is delivered in Windows update KB2919355, the 707MB code chunk that makes up the majority of the Windows 8.1 Update set of patches.

Systems admins have a couple of workarounds available to resolve the problem, at least temporarily. First, if they're running WSUS 3.0 SP2 on Windows Server 2008 R2, they can enable TLS 1.2 support via some Registry tweaks. A Microsoft Knowledge Base article explains how.

Earlier versions of Windows Server, however, lack support for TLS 1.2. In these cases, the only way to re-enable software updates is to disable HTTPS in WSUS 3.0 SP2 and ship updates to PCs unencrypted.

Redmond says – with some small irony – that it's working on a software update that will restore proper behavior for all supported versions of WSUS, though it hasn't said when to expect that update to arrive.

Until then, Microsoft will no longer be distributing update KB2919355 to WSUS servers, and the only way for customers in WSUS environments to get the Windows 8.1 Update will be to download it from the Windows Update Catalog or from MSDN. ®


Other stories you might like

  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Microsoft forgot to renew the certificate for its Windows Insider subdomain
    Visitors to insider.windows.com met with safety warning - how reassuring

    Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program.

    Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has now been fixed, and someone's no doubt getting an earful.

    Browsers like Chrome, Firefox, and Safari will attempt to deter visitors from accessing the webpage, but will provide a link for those who ignore the warnings and persist on clicking through to advanced options.

    Continue reading
  • Microsoft pledges neutrality on unions for Activision staff
    Now can we just buy them, please?

    Microsoft isn't wasting time trying to put Activision Blizzard's problems in the rearview mirror, announcing a labor neutrality agreement with the game maker's recently-formed union.

    Microsoft will be grappling with plenty of issues at Activision, including unfair labor lawsuits, sexual harassment allegations and toxic workplace claims. Activision subsidiary Raven Software, developers on the popular Call of Duty game series, recently voted to organize a union, which Activision entered into negotiations with only a few days ago.

    Microsoft and the Communication Workers of America (CWA), which represents Raven Software employees, issued a joint statement saying that the agreement is a ground-breaking one that "will benefit Microsoft and its employees, and create opportunities for innovation in the gaming sector." 

    Continue reading

Biting the hand that feeds IT © 1998–2022