Microsoft has enabled a fix for a Kernel information disclosure vulnerability by default for everyone after previously disabling it out of concerns it could introduce breaking changes to Windows.
The vulnerability is tracked as CVE-2023-32019 and has a medium severity range 4.7/10, with Microsoft rating the flaw as 'important' severity.
The bug was discovered by Google Project Zero security researcher Mateusz Jurczyk, and it allows an authenticated attacker to access the memory of a privileged process to extract information.
While it is not believed to have been exploited in the wild, Microsoft initially released the security update with the fix disabled, warning that it could cause breaking changes in the operating system.
"The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it," explained Microsoft.
Instead, Windows users had to enable the update manually by adding the following registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides key:
- Windows 10 20H2, 21H2, 22H2: Add a new DWORD registry value named 4103588492 with a value data of 1
- Windows 11 21H2: Add a new DWORD registry value named 4204251788 with a value data of 1
- Windows 11 22H2: Add a new DWORD registry value named 4237806220 with a value data of 1
- Windows Server 2022: Add a new DWORD registry value named 4137142924 with a value data of 1
However, Microsoft would not share what conflicts could arise from enabling the update, simply telling BleepingComputer at the time that it would be enabled by default in the future.
This uncertainty led to many Windows admins not deploying the fix out of fear it would cause problems in their Windows installations.
As first spotted by Neowin, Microsoft has now enabled the fix for CVE-2023-32019 by default in the August 2023 Patch Tuesday updates.
"The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023." explains Microsoft in an update to its support bulletin.
"No further user action is required."
BleepingComputer has spoken to numerous Windows admins about this update, and none have reported issues with this change enabled.
H/T noelprg4
Comments
NoneRain - 10 months ago
No issues here, but, also no issues where the manual fix was applied too.
noelprg4 - 10 months ago
hi Lawrence
check out this recent article from Neowin where Microsoft explained why the CVE-2023-32019 fix was enabled for everyone:
https://www.neowin.net/news/microsoft-explains-why-it-pushed-buggy-windows-kernel-patch-after-an-earlier-warning/
part of that new Neowin article states:
"However, since we reported this news, Microsoft has once again updated its bulletin and has removed the portion that warned users of the kernel issue. That's because the tech giant now feels confident stating that the potentially-breaking Windows kernel patch is problematic no more."
Lawrence Abrams - 10 months ago
Yup, saw it earlier. Thanks