The trials and tribulations of Microsoft’s KB5012170 patch
KB5012170 is many things to many Windows users. First, it’s a patch that either installs with no problems or leads to a blue screen of death (BSOD). It can also be an indicator we have a problem getting updated drivers on our systems. It can demonstrate how users don’t keep up with Bios updates. And it shows that some OEMs enable Bitlocker on the systems they sell (not necessarily in a good way).
In short, it’s a problematic patch that just keeps rearing its head.
Also known as “Security Update for Secure Boot DBX,” KB5012170 was released earlier this year and makes improvements to the Secure Boot Forbidden Signature Database (DBX). Windows devices that have Unified Extensible Firmware Interface (UEFI)-based firmware have Secure Boot enabled. It ensures only trusted software can be loaded and executed on during the boot process by using cryptographic signatures to verify the integrity of the process and the software being loaded.
Secure Boot is often used with other security measures, such as trusted platform modules (TPMs) and bootloaders that support key management. It’s supposed to protect against malware and other types of unauthorized software that could compromise security.
Typically implemented in device firmware, Secure Boot can be configured to allow the loading of only trusted software signed with a trusted key; untrusted software is prevented from running.
That said, there is a security feature bypass in Secure Boot; it specifically adds signatures of known vulnerable UEFI modules to the DBX. The vulnerability is called “Hole in the boot” and could be used to bypass the Secure Boot. (Note: for any attack to occur, the attacker would need admin privileges or physical access.)
This is where KB5012170 comes into the picture.
On business computers, or government computers, or systems at risk for a targeted attack, this is the sort of patch you’d want installed. But on home computers or systems that are not managed or updated regularly with driver and firmware updates, it can do more harm than good. Documented side effects include BSODs and Error 0x800f0922, and unless you block the update it will attempt to install again. One user in a Reddit post noted he “needed to restart my computer and an update was pending restart to complete installation. I restarted and my computer failed to start. I got a BSOD with the error 0xc000021a.” It appears this is occurring on older computers with settings changed to disable driver enforcement.
At this point, for home users, the best thing to do is to use one of the tools highlighted at Blockapatch.com to block KB5012170 proactively. The benefits do not outweigh the risks.
There is a second side effect arising from this update. Workstations with Bitlocker enabled may trigger a request for a Bitlocker recovery key. This can be a problem for consumer and home users with systems that have Bitlocker automatically enabled. If you do not know where your Bitlocker recovery key is stored, you might have to reinstall Windows from scratch. (To determine if you have Bitlocker enabled, click on File Explorer and right-mouse click on your C drive. If you see the option to turn OFF Bitlocker, make sure you know where your Bitlocker recovery key is stored. If you set up your computer with a Microsoft account, it will be stored there. If you’re unsure where your Bitlocker recovery key is located, either reset or disable it.)
For business patchers, the side effects should be weighed against the risks of not installing KB5012170. I’ve not seen many business BSOD reports, though I have seen reports of systems demanding a Bitlocker recovery key when deploying this update. Thus, before deploying it, review your systems to ensure that their firmware is up to date.
Historically in business settings, you install firmware updates upon deployment and never review them again. But with Windows 10 and Windows 11, you can no longer be safe doing that. Ensure that you have a process in place to inventory and evaluate firmware and update accordingly. Firmware should be reviewed at least once a year. Now that Microsoft has moved Feature releases to an annual release cadence, use that schedule to include review and updating of firmware, video drivers, audio drivers and other key hardware drivers that interact with the system.
Since KB5012170 (or something like it) will probably pop up again, ensure your system is prepared for it by either proactively blocking it or keeping your firmware and drivers up to date. That’s the best way to avoid problems down the road.
http://www.computerworld.com/category/security/index.rss