In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of some people using its AV wares to hang on boot, getting stuck while displaying the line “Configuring 30%”.
“We have currently only identified the issue on some customers running Windows 7 and Windows Server 2008 R2,” added the company.
Its advice on what to do is pretty blunt: uninstall the Windows update. Specifically, revert KB4499164 (May’s full-fat Patch Tuesday) and KB4499165, the security-only update. As regular readers know, the latest Patch Tuesday is intended to mitigate a pretty nasty vuln (CVE-2019-0708) which permits unauthenticated remote code execution through the medium of Remote Desktop Services. Sophos itself opined that it was “so serious that Microsoft has even released patches for its long-unsupported operating systems, Windows 2003 and XP”.
As we wrote when the patches were published, to make it work all you have to do (easy when you know how, innit) is to “find one of countless vulnerable Windows boxes facing the internet or on a network, and send carefully crafted packets to its remote desktop service, if running, to start executing malicious code on the machine. From there, other computers can be found by scanning IP ranges, and then you’ve got a proper old school worm on your hands.”
Even Microsoft said this vuln could be abused to spread a worm, WannaCry-style.
The whole thing has loud echoes of a similar Sophos screwup from April, when that month’s Patch Tuesday knackered a bunch of Windows boxen running Sophos products, including Win 7 and Server 2008 R2.
Why, then, is Sophos recommending that users, private and corporate alike, revert a critical security update? Granted, so far nobody has seen a live exploit for the major vuln identified by Microsoft, but in this day and age it’s only a question of time.
Sophos didn’t directly answer when El Reg asked, nor did it say when it would patch its own products to get them working again. Instead it said: “Sophos is working diligently on determining the issue and will provide ongoing customer guidance.”
Affected folk are encouraged to go and tell Sophos exactly what happens when their machines lock up, and to open a ticket with company’s tech support team. Links to various Sophos utilities are available in the advisory. ®