At the beginning of 2018, news broke regarding "Meltdown" and "Spectre"; two vulnerabilities that took advantage of speculative execution in Intel CPUs to retrieve sensitive information. This quickly expanded some from the initial report as OS vendors would release patches for their respective systems, but the basic vulnerability remained the same.
Microsoft released an out-of-band patch to mitigate the vulnerability from the software side with a caveat; several antivirus vendors were taking advantage of kernel processing in ways that were not best practice. When the Microsoft patch is installed, the system would get a "blue screen of death" (BSOD) due to the antivirus software.
In response Microsoft implemented a check for a registry key before installing the patch - antivirus vendors would need to add this key to show they were compatible with the release. Vendors that did not add this (despite the compatibility) caused IT administrators to manually add the key in order to continue receiving patches following the January release.
Over the next several months, issues with CPU firmware caused software patches to be re-released, rolled back, and released again across a variety of vendors. Only recently have these firmware releases stabilized enough that software vendors can re-release and support their mitigation patches.
More recently, the March Monthly Rollup for Server 2008 R2 (KB 4088875/4088878) had an issue that affected many virtual servers with static IP addresses. Upon reboot, these servers would "lose" and "rediscover" the NIC, forcing administrators to delete the "disconnected" and hidden NIC driver and reconfigure the new NIC. Around a week after the initial release, Microsoft published workaround instructions for administrators to run some VBScript code, that would clear some registry settings, prior to installing this patch.
A few days later, information came out regarding "Total Meltdown" - a new vulnerability created from the patches of the original Meltdown/Spectre patches - that required an out-of-band kernel update in addition to the buggy March Monthly Rollup for Server 2008 R2.
Finally, a week before the April Patch Tuesday release, Microsoft released a patch that would execute the VBScript via Windows Update, and configured the metadata of the patches so that this patch should install prior to the buggy KB4088875 and the follow-up kernel update (KB4100480). As of the April Patch Tuesday, these patches appear to have been rolled up into the single Monthly Rollup release in order to take care of all the prerequisites automatically.
There are several other examples of patches in the past that require additional manual work following install. A few examples are below:
- KB2871997 - Released October 2014, requires registry key to force clear leaked logon session credentials
- KB3159706 - Released May 2016, requires post-installation command line for Server 2012 R2 WSUS to properly decrypt Windows 10 upgrades
- KB4034879 - Released July 2017, requires registry keys to make LDAP authentication over SSL\TLS more secure
Needless to say, it is prudent that IT administrators remain on top of patching and vulnerabilities reported across your infrastructure. Many of these additional steps can easily slip through the cracks for someone who is blindly approving and installing patches - even though that appears to be the recommended best practice for Windows 10 / Windows Server 2016 going forward.