03/26 Update below. This article was originally published on March 23
Windows 10 and Windows 11 users, you need to take immediate action. A serious vulnerability was discovered in both platforms that Microsoft not only failed to fix, but made worse. Here’s everything you need to know.
A new report from BleepingComputer breaks down the problem. Tracked as CVE-2021-34484, it is a zero-day privilege escalation attack that allows hackers to take control of Windows 10, Windows 11, and Windows Server. And the shock is that Microsoft has known this for seven months.
Update 03/25: No more problems for Windows users after Microsoft confirmed that updates released for Windows Server in January were found to be the cause of DNS failures causing affected systems to lose internet connectivity.
“After installing updates released January 25, 2022 (KB5009616) and later affected versions of Windows Server running the DNS server role, DNS stub zones may not load correctly, which may cause the DNS name resolution failed,” Microsoft admitted in a official statement.
The company has also confirmed that two more updates KB5010427 (02/15/22) and KB5011551 (3/22/22) can cause these issues. Microsoft has released a preventive fix, but says it cannot repair affected computers without owners manually applying the fix. Microsoft has offered a installation guide for this and provided two download links (1,2) for patches.
As noted BeepComputer, recent Microsoft updates have caused a bunch of problems for Windows users. These include Bluetooth causing Windows blue screens, LSASS crashes, network connection issues, and a Windows Active Directory bug. Microsoft has released several emergency “out of band” (OOB) patches to combat these issues. Something has to change.
Update 03/26: Another serious blow to Microsoft’s reputation has been dealt following allegations that the company is spending hundreds of millions of dollars in foreign kickbacks. These bribes are said to be worth more than $200 million a year and whistleblower Yasser Elabd, a former Microsoft employee who spent more than 20 years with the company, says he has was kicked out of Microsoft by senior management when he tried to draw attention to what was going on.
“In reviewing a multi-partner audit conducted by PricewaterhouseCoopers, I found that when agreeing to the terms of sale for a product or contract, a Microsoft executive or salesperson offered a side deal with the partner and the purchasing entity decision maker,” explains Elabd. “This client-side decider would send an email to Microsoft requesting a discount, which would be granted, but the end customer would still pay the full fee. The discount amount would then be split between the wicked parties: the Employee( s) of Microsoft involved in the program, the partner and the decision maker of the procuring entity, often a government official.”
Elabd cites some amazing examples. $33.6 million in money missing from deals with the Saudi Interior Ministry and Kuwait, $5.5 million in Nigeria “for equipment they didn’t have” and “the Ministry of Qatar education was paying $9.5 million a year over seven years for Microsoft Office and Windows licenses they weren’t using.” Elabd also claims that “another common practice was to create fake purchase orders, which sales managers presumably used to increase their compensation.”
“Experience leads me to believe that 60-70% of salespeople and company managers in the Middle East, Africa and parts of Europe receive these payments,” he says. “For anyone who has followed Microsoft closely, this will not come as a shock… Which is a shock: this time around, the SEC and the DOJ have both refused to investigate Microsoft for the same types of bribes in the Middle East and Africa.”
Microsoft has yet to respond to Elabd’s allegations. With all eyes on the company right now, what happens next will likely have a major impact on Microsoft’s reputation.
In Microsoft’s defense, the company released two patches in an attempt to fix the flaw, but both failed. The second attempt was particularly bad because it also broke a successful third-party patch from independent security group 0patch (pronounced “Zero Patch”) that was released in November. Ironically, older, unsupported versions of Windows 10 (1803, 1809, and 2004) are the safest because Microsoft hasn’t released its second “patch” for those editions.
In response, Microsoft issued a statement to BleepingComputer acknowledging the flaw but offering no timeline for a fix, simply saying, “We are aware of this report and will take appropriate action to protect customers.” It’s worth pointing out that this statement is word-for-word identical to the one the company released after it released two more botched fixes for different flaws late last year.
The good news is that 0patch has stepped in again. The group has released a new “micro-patch” which is free to download and compatible with the latest versions of Windows 10, Windows 11 and Windows Server. To get it, create a free account in 0patch Central and install 0patch Agent.
That said, the whole saga leaves a bitter taste in the mouth. There’s a bad sense of deja vu in this last episode with a security researcher Abdelhamid Naceriwho discovered flaws in several of these patches, previously commenting, “So you better wait and see how Microsoft screws the patch again.” And here we are again.
Should I quit Windows? It is a personal decision for each user and related to individual circumstances. That said, with Apple silicon performance blowing away the vast majority of Windows PCs, there’s never been a more tempting time to do so.
Learn more about Forbes
How to Upgrade to Windows 11 for Free in 2022
Microsoft’s massive March 2022 update fixes three zero-day hacks in Windows 10, Windows 11