Microsoft has enabled a repair for a Kernel info disclosure vulnerability by default for everybody after beforehand disabling it out of issues it may introduce breaking adjustments to Home windows.
The vulnerability is tracked as CVE-2023-32019 and has a medium severity vary 4.7/10, with Microsoft score the flaw as ‘vital’ severity.
The bug was found by Google Challenge Zero security researcher Mateusz Jurczyk, and it permits an authenticated attacker to entry the reminiscence of a privileged course of to extract info.
Whereas it isn’t believed to have been exploited within the wild, Microsoft initially launched the security replace with the repair disabled, warning that it may trigger breaking adjustments within the working system.
“The decision described on this article introduces a possible breaking change. Subsequently, we’re releasing the change disabled by default with the choice to allow it,” defined Microsoft.
As a substitute, Home windows customers needed to allow the replace manually by including the next registry values underneath the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides key:
- Home windows 10 20H2, 21H2, 22H2: Add a brand new DWORD registry worth named 4103588492 with a price information of 1
- Home windows 11 21H2: Add a brand new DWORD registry worth named 4204251788 with a price information of 1
- Home windows 11 22H2: Add a brand new DWORD registry worth named 4237806220 with a price information of 1
- Home windows Server 2022: Add a brand new DWORD registry worth named 4137142924 with a price information of 1
Nevertheless, Microsoft wouldn’t share what conflicts may come up from enabling the replace, merely telling BleepingComputer on the time that it will be enabled by default sooner or later.
This uncertainty led to many Home windows admins not deploying the repair out of concern it will trigger issues of their Home windows installations.
As first noticed by Neowin, Microsoft has now enabled the repair for CVE-2023-32019 by default within the August 2023 Patch Tuesday updates.
“The decision described on this article has been launched enabled by default. To use the enabled by default decision, set up the Home windows replace that’s dated on or after August 8, 2023.” explains Microsoft in an replace to its help bulletin.
“No additional person motion is required.”
BleepingComputer has spoken to quite a few Home windows admins about this replace, and none have reported points with this modification enabled.
H/T noelprg4