I’m not ready to give a clear answer to the security patches released on January 12th, and I want to alert you to a specific update that affects HyperV servers and some consumer workstations.
KB4535680, also known as the security update for Secure Boot DBX dated January 12, 2021, provides improvements to Secure Boot DBX for a number of supported versions of Windows. These include Windows Server 2012 x64-bit; Windows Server 2012 R2 x64 bit; Windows 8.1 x64 bit; Windows Server 2016 x64 bit; Windows Server 2019 x64 bit; Windows 10, version 1607 x64 bit; Windows 10; 1803 x64 bit version; Windows 10, version 1809 x64 bit; and Windows 10, version 1909 x64 bits. The main changes affect ‘Windows devices [have] Firmware based on Unified Extensible Firmware Interface (UEFI) which can work with Secure Boot enabled. »Secure Boot Forbidden Signature Database (DBX) prevents loading of malicious UEFI modules; this update adds additional modules to block malicious attackers who could successfully exploit the vulnerability, bypass Secure Boot, and load untrusted software.
The patch description states that “If Windows Defender Credential Guard (Virtual Secure Mode) is enabled, your device will restart twice.” While this doesn’t appear to be a known issue, I have found that having a server with HyperV enabled affects the integrity of my VMs. In my case, restarting the host server triggered the virtual machines twice into a saved state.
As a general rule, when patching a HyperV host server, it’s okay to let the underlying hosted virtual machines “do their job”. When the HyperV host restarts, the virtual machine can be set to default to come back online; the system will temporarily suspend the Hyper V management server, restart the host machine, and upon restart, restart the virtual machines. It is normal for me to leave my virtual machines running while I restart the host server. In this case, when the HyperV host rebooted, the virtual machines did not come back to operational condition. I had to restart the HyperV host a third time, turning it off completely, then turning it back on manually to get my VMs back on.
If you are installing this update on HyperV servers, first plan to shut down the virtual machine manually. This ensures that virtual machines will be in a stable state – and shut down – before the patch is installed.
Historically speaking, these DBX updates have not performed well, even on consumer machines. Previous updates have triggered issues in HP systems that did not have the latest BIOS updates installed. In a document released in February 2020, HP detailed the problem. (HP and Microsoft note that “If the latest supported BIOS is not installed on the system, Windows 2004 installation, Windows 2004 update, or KB4524244 or KB4535680 may be blocked for the system. ‘installation or download.’)
So what’s a geek or even a non-geek to do? Remember that if you are an enterprise patcher with tools like WSUS that allow you to control and approve updates, you should carefully evaluate KB4535680 before installing it on your HyperV servers. If you feel that you need to deploy it due to your security practices, I recommend that you manually shut down any virtual machines on your HyperV server before continuing.
For home users, consumers, and other standalone patchers, remember that on the Windows 10 platform, BIOS updates are extremely important. Years ago I would install systems and never, ever update the BIOS after the initial setup. Now before each feature release I go to my computer manufacturer’s website and download the latest BIOS update. If you’re still using Windows 10 1909 and want to skip it for now, use the Wushowhide tool to hide the update. If you are using version 2004 or later, the code is already included; thus, this update will not be offered to you.
Bottom line for server admins in particular: this is an update that I recommend you ignore unless you clearly need it. The risk to your virtual machines is much greater than the risk of an attack, in my opinion. At a minimum, make sure you have taken precautionary measures before moving forward.
Copyright © 2021 IDG Communications, Inc.