Security patch or self-inflicted DDoS? Microsoft update knocks out key enterprise functions

23/10 02:15 - Security patch or self-inflicted DDoS? Microsoft update knocks out key enterprise functions
An October 2025 Microsoft Windows security update is wreaking havoc on enterprises, impacting multiple systems with bugs ranging from annoying to showstopper. The update in KB5066835 was intended to strengthen Windows cryptography, by moving from the older Cryptographic Services Provider (CSP) to the more secure Key Storage Provider (KSP), but users may now be experiencing issues with authentication, websites, updates, and even use of mice and keyboards. These and other known issues impact Windows versions designated for broad deployment, including Windows 10 (version 22H2), Windows 11 (versions 23H2, 24H2, and 25H2), and Windows Server (2012, 2016, 2022, and 2025 releases). “There are times when cybersecurity improvements in enterprise software result in some business interruption and adjustment until the software is updated and operating across platforms effectively,” noted Jim Routh, chief trust officer at Saviynt. “That is clearly the case here.” The October 2025 Windows security update (KB5066835) has caused issues with smartcard authentication, in addition to loss of the use of USB mice and keyboards within the Windows Recovery Environment (WinRE); IIS website loading failures; and disrupted updates installed from shared network folders using the Windows update standalone installer (WUSA). In addition, last week the security patch was discovered to have disrupted many development environments in Windows 11, forcing companies to roll back updates. “Overall patch quality coming out of the October updates is abysmal,” said David Shipley of Beauceron Security. “Between nuking localhost, keyboard and mouse issues in recovery mode, this is one of the worst QA’d updates I can think of in years.” Difficulty obtaining digital signatures Smart card authentication and certificate issues include smart cards not being recognized as Cryptographic Service Providers (CSPs) in 32-bit applications, users’ inability to digitally sign documents, and failures in apps relying on certificate-based authentication. Resultant error messages have included “invalid provider type specified” and “CryptAcquireCertificatePrivateKey error.” That means, explained Saviynt’s Routh, “users may experience difficulty getting digital signatures for electronic documents.” Microsoft says the issue was the result of a “security improvement” meant to enhance cryptography. Users can resolve it by modifying the DisableCapiOverrideForRSA registry key, then closing and restarting Windows. However, Microsoft emphasizes that incorrectly editing the registry can cause system issues, so users should always make backups before making any changes. Smartcard authentication is typically used in environments where high-assurance authentication is necessary, said Bob Wilson, cybersecurity advisor at Info-Tech Research Group, which makes them critical to some functions. “Of course, the biggest issues will be around disruption of business processes,” he said. In addition, if the authentication mechanisms are broken, an organization might fall back on weaker authentication practices or less secure workarounds, allowing threat actors to take advantage. “It’s ironic that a patch meant to improve security could potentially weaken the security posture of an organization,” Wilson noted. “This is a pretty good example of how vendor-driven changes can introduce issues.” Malfunctioning devices, failed connections, and installation errors Update KB5066835 can also cause USB devices, including keyboards and mice, to malfunction in WinRE, preventing navigation in recovery mode. However, the keyboard and mouse do continue to work normally within the Windows OS. Microsoft has now released an out-of-band update, KB5070773, to address the issue. Additionally, the security update may cause issues with incoming connections for server-side applications that rely on HTTP.sys. IIS websites may fail to load, with users receiving messages including “ERR_CONNECTION_RESET).” This includes websites hosted on http://localhost/, and other IIS connections. Microsoft advises that the issue can be resolved by searching for and installing updates, then restarting devices whether or not updates were found. Furthermore, KB5066835 is causing failures in WUSA, a mechanism for installing updates using the Windows Update Agent API in enterprise environments. Users may receive the error “ERROR_BAD_PATHNAME” when interacting with .msu update files when there is more than one .msu file in a shared network folder. Users can workaround the issue by saving .msu files locally and installing the update from the local file. If, after restarting Windows, the Update History page in Settings still says a restart is required, then wait 15 minutes for it to refresh. “After this short delay, the Settings app should properly indicate if the update installed successfully,” Microsoft said. The company said it has mitigated the issue via Known Issue Rollback, and a fix will be released in a future Windows update. How enterprises should respond Beauceron Security’s Shipley noted that, overall, these flaws will impact “a few significant organizations in a significant way,” particularly those in banking, government, and defense that require a high level of security control. In the short term, Info-Tech’s Wilson advised affected organizations to perform the recommended update to the “DisableCapiOverrideForRSA” registry key, changing its value to “0.” They could also put off deploying that particular patch for smartcard authentication. “They’ll need to work with vendors to obtain apps, drivers, and tools that align with changes in how Microsoft is approaching cryptography,” said Wilson, emphasizing that this registry key will disappear in April 2026, eliminating the workaround. In the long term, he said, organizations can protect themselves from these and similar situations by: Establishing processes that test patches and manage changes through a change control process. Having multiple paths for authentication, especially for critical and privileged accounts. Maintaining contingency plans for critical processes in case authentication systems fail. “The current user challenges will be abated over time as more operating systems are upgraded,” noted Saviynt’s Routh. Ultimately, “the new technology/cryptography in the update represents an improvement in the operating system’s security.” ...