• Should we panic?

    Gordon Kelly is out with a headline regarding to Quit Windows. Once again he has overblown the problem and overestimated the impact.

    First regarding side effects regarding DNS or domain name services, first off it only impacts Server 2019 and then only servers running the DNS server role.  We’re talking a narrow amount of impacted servers here, not BILLIONS.  I am running a Windows 2019 server with the DNS server role and not noting any issues, I use DNS forwarders and I have not seen anyone complain about this widely.  Microsoft has acknowledged the issue and Gordon is using Microsoft’s own transparency about an issue seen by a small subset to beat them up.

    Next the concerns over the local privilege escalation bug.  Unless how this is able to be attacked has changed,  CVE-2021-34484, isn’t easily exploited.  Per an October write up of the bug

    “While this is a critical vulnerability, exploitation would require threat actors to know the username and password of two different users, making an attack very difficult in the wild.”

    Excuse me?

    “Subsequently, vulnerability analysis specialist Will Dormann tested the flaw and found that the attack could not always be successfully completed.”

    Do we need to overinflate patching issues?  Absolutely not.

    Do we need to beat them up over quality of updates, yes.  But that’s true for all vendors including Apple.

    Edit:  As Carl points out in the comments you want to update your Browser today. THAT’S what you should be really worried about. Chrome is fixing a zero day that was under attack, Edge does not (as far as I can tell) have the fix yet.

    Edit 2:  Edge/Brave have the fix for the Chrome zero day as of 3/26/2022.  Make sure you update your browser.