News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon

We're community supported and proud of it!

AskWoody Plus Alert Logo
ISSUE 19.01.1 • 2022-01-06
MS-DEFCON 2: Batten down the hatches for January

MS-DEFCON 2

By Susan Bradley

Microsoft has started off the patching year — and not in a good way.

Soon after midnight all across the world, mail administrators running Exchange 2016 and Exchange 2019 (see edit 1 below) started noticing that mail was not being delivered in their organizations. Horror of horrors, this has been dubbed the “Y2K22” bug — just what we wanted to hear.

A Reddit thread summarized this well. Mail admins noticed that, as the date on the calendar changed, the mail server was unable to process due to a “… problem related to a date check failure with the change of the new year.” We now know the problem is an integer overflow error. An anti-malware component is converting the date/time into the “YYMMDDHHMM” format and storing it as a signed, 32-bit number (max value 2,147,483,648). In December, the number started with “2112,” less than 2147. But in January, the number starts with “2201,” obviously more than 2147. Thus the system would attempt to store the value into a bucket that was too small to hold it. Microsoft has since posted a workaround/fix to the problem that requires manual action by Exchange administrators.

Why am I pointing this out given that it impacts only mail servers and those that manage mail servers? Because I think it’s just another example of the lack of testing and attention to detail that Microsoft is applying to on-premises products. It’s one of the reasons why I still recommend that you hold back and not install updates immediately. Rather, I recommend you defer updates until at least January 25. Once again, Microsoft is showcasing that quality testing is lax at best.

Microsoft, and thousands of other companies, invested millions of dollars leading up to the year 2000 to convert all two-digit references to years to four digits, thus staving off the apocalypse until the year 9999. I know it’s been 20 years, but didn’t the next generation of developers get the message?

Consumer and home users

Time again to wrap up any feature installations you are doing. I often use the holidays to ensure my computers are on my preferred version of Windows 10. You have only between now and next Tuesday morning (Pacific time) to wrap up any Windows 10 feature-release installations you are planning. That’s especially important for users of Windows 10 2004, because December was the last month for installation of its updates. If you haven’t gotten Windows 10 2004 off your PCs, you won’t see updates in January.

I’ve also seen computers that were left off for long periods of time and got stuck on older versions. For these machines, your best patching advice is to bypass Windows update and instead use the “update now” button on the Windows 10 ISO page.

If you have kept your machine up to date, now is the time to defer updates by using pause, defer, set as metered, or any number of ways. My preference is still to use the “date in the future” method and pick January 25 as the day you’ll let updates be installed. For those with Windows 8.1 and Windows 7, you have it easier: you can just configure the setting to “not install updates” or “download but not install” updates and then install them after January 25 as well.

Business users

For business patchers, it’s in your best interest to hold back and ensure you have tested the updates before you deploy them. The 2021 patching year was not easy for businesses. From the Print Nightmare issues to Exchange security vulnerabilities, keeping your firm protected was a challenge. Add to that concerns about browser zero days (where Chrome will receive updates for zero-day vulnerabilities under attack, and Edge won’t get its update for another day), and it’s enough to keep anyone worried. Layer on last year’s issues with printer side effects, SQL issues, Access issues — well, it’s been a stressful year.

Speaking of Access, Microsoft has finally fixed a problem created with the December updates, where two or more people couldn’t open an Access database. The issue was already fixed in click-to-run versions. In KB2965317, released on December 29, Access 2013 finally received its update to fix this problem. You’ll have to manually install that update in order to fix your file-access issue because the patch has not yet been released to Windows Software Update Services or Windows update.

If you’ve noticed that your Server 2019 machines have gotten a bit sluggish, you aren’t alone. Microsoft has released an out-of-band update for Server 2019 that “Updates a known issue that might prevent you from using Remote Desktop to reach the server and also slows performance.” Even though this will be included in the January updates, you may want to apply KB5010196 to your servers if you are suffering from these side effects. This is one I’ve personally seen in my network.

For those that run Active Directory in your organization, ensure that you review the English translation of Microsoft’s Japanese security blog. If you’ve already installed the November updates in your organization, you’ve received the patches; but you may wish to enable the recommended registry keys to roll out additional protections now. Microsoft will be enabling the protections in full at a later date, but you can opt in early for additional hardening. (See edit 2 below – note some are seeing side effects)

References

MS-DEFCON 2

Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.


The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, AskWoody.com, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.

Edit 1 of 1-6-2022 – originally listed Exchange 2013 and 2016, it should have read 2016 and 2019. However Exchange 2013 is also impacted, it breaks the automatic updating of malware definitions and must be manually fixed. If you have one of these servers see this post.

Edit 2 of 1-6-2022 – in regards to enforcing the Active Directory hardening patches be aware that folks are reporting interactions with Mac authentication and cannot be joined to the domain after enforcing the November updates (remember they are in passive and not enforced at this time.  Follow this and this for more info.