Its only for NFS and not NTFS and only in v4 of NFS at that. Most systems will not need any action and those that do are unique enough that they're should be patched regularly in the first place.
They’re probably also important and harder to support: things like central storage servers or other services which support a wide range of clients, careful security mapping rules, etc. This is less than a month old so I would not be surprised if the places affected are carefully testing since almost by definition anyone running it has a complicated environment to support.
Just got some background here, the May 10th update literally broke the ability for many people to logon to a domain. It was extremely broken and businesses that deployed it suffered heavily. The June 14th fix being discussed here in turn broke many backup products in ways people are still trying to understand. Edit: The June 14th update being discussed here also broke Wifi hotspot and RRAS services, the latter being relevant to servers.
So most Windows server admins are quite acceptably delayed in deploying updates. Most standards and policies give an organisation 30 or 60 days to apply a security update outside of a particularly critical issue, and in most cases that's considered appropriate risk management. In this case I don't understand why this is news, there were many CVEs fixed this month but I've generally assessed there are as being very low exposure and no reason to panic. For example, across our whole fleet it took a few minutes to test for the NFS service being installed anywhere and I've found it in zero places.
We don't have the Linux luxury up running an "update Apache" command and getting an update that fixed one CVE, every update is a major cumulative update with its own brokenness and test cycles. Remember at one point Microsoft released an update which broke port binding, and every network service including their own SQL and SMTP servers stopped functioning. That update was rated a critical security fix.
The (edit) July 12th update is the first proper fix for Follina vulnerability, which is now months old. That really should be what people are testing and targetting for rollout.
I wonder who Microsoft sees as Windows customers today.
Not the consumer. There are plenty of anti-consumer features in there. Spontanous reboots for patching, fire risks be damned. Privacy nightmare. Forced microsoft account. DRM.
Not the enterprise. Required manual patch validation. Complexity of upgrade rollouts. Neverending random breakage. Retraining for random vanity UI changes.
All of the above are fixable by listening to the customer and doing the necessary work, and not doing change for the sake of change.
My laptop runs Windows 10 (all my other machines are Debian or Devuan). I have searched, but failed to find any way of preventing this damned OS from downloading and installing updates without asking me. I often get up in the morning to find that all my open windows have been force-closed, because the machine rebooted after an update.
I have no idea what the updates contain; by the time I know about it, it's already installed and running. I don't see much point in reading the release-notes (if I can find them), because they are invariably opaque and full of obfuscation.
And anyway, the updates are unitary; I can't cherry-pick packages or bug-fixes. Win10 is either up-to-date or vulnerable. And "updates" often include new features that I don't want.
I don't know why Windows the OS is so user-unfriendly; possibly because the devs are exclusively focused on enterprise features. I've been using Windows since Win3, but I nowadays find it nigh-impossible to administer my own machine.
I've been thinking of replacing Windows with Devuan on this one hold-out machine for months.
It's user friendly for people that don't know what patches are or why software needs updated. It's frustrating for the people that do and would like control
I remember the Windows XP days where you'd regularly find computers that hadn't successfully updated in months or years and it was a whole day effort to get them patched
Windows 10 Reboot Blocker works ok. It runs as a service and keeps readjusting active hours to prevent reboots
I don’t know anyone who loved it but if you were trying to get Linux desktops or servers allowed in a Windows shop it was often the path of least resistance.
i used it years ago for sharing media files from a windows server to a linux media player. bonus: said windows server also ran software raid-5. it's like i hit the lottery for worst possible solution for all the things.
I used it for years as a backup datastore location for some VM program. It worked well enough. Even had routine nightly shutdown/startup scripts of the VM that mounted it and then the NFS server.
It worked well enough. Would never run that at work or in production though.
I use one. My windows heavy IT team likes to do big storage appliances in windows and serve them to linux vms with nfs. It is horrible and sketchy, and has all kind of weird file caching, permissions, and locking issues. They havent responded positively to my constant dropping of the ceph promo video on them.
Maybe this example was not the best as it is only in Windows for 10 years, NFS however as a component exists since at least NT 4.
Even if this exploit only touches completely new code, my point still stands that windows has multiple layers of archeology which were designed when security was an afterthought.
Some of these are preinstalled with Windows, use networking and run as SYSTEM (WMI, spool) others are used by enough components in windows they will never be removed yet it doesn’t seem they are undergoing any development (COM/OLE)
45 comments
[ 3.3 ms ] story [ 96.3 ms ] thread> This bug was patched by Microsoft in June 2022 ...
So most Windows server admins are quite acceptably delayed in deploying updates. Most standards and policies give an organisation 30 or 60 days to apply a security update outside of a particularly critical issue, and in most cases that's considered appropriate risk management. In this case I don't understand why this is news, there were many CVEs fixed this month but I've generally assessed there are as being very low exposure and no reason to panic. For example, across our whole fleet it took a few minutes to test for the NFS service being installed anywhere and I've found it in zero places.
We don't have the Linux luxury up running an "update Apache" command and getting an update that fixed one CVE, every update is a major cumulative update with its own brokenness and test cycles. Remember at one point Microsoft released an update which broke port binding, and every network service including their own SQL and SMTP servers stopped functioning. That update was rated a critical security fix.
The (edit) July 12th update is the first proper fix for Follina vulnerability, which is now months old. That really should be what people are testing and targetting for rollout.
Not the consumer. There are plenty of anti-consumer features in there. Spontanous reboots for patching, fire risks be damned. Privacy nightmare. Forced microsoft account. DRM.
Not the enterprise. Required manual patch validation. Complexity of upgrade rollouts. Neverending random breakage. Retraining for random vanity UI changes.
All of the above are fixable by listening to the customer and doing the necessary work, and not doing change for the sake of change.
My laptop runs Windows 10 (all my other machines are Debian or Devuan). I have searched, but failed to find any way of preventing this damned OS from downloading and installing updates without asking me. I often get up in the morning to find that all my open windows have been force-closed, because the machine rebooted after an update.
I have no idea what the updates contain; by the time I know about it, it's already installed and running. I don't see much point in reading the release-notes (if I can find them), because they are invariably opaque and full of obfuscation.
And anyway, the updates are unitary; I can't cherry-pick packages or bug-fixes. Win10 is either up-to-date or vulnerable. And "updates" often include new features that I don't want.
I don't know why Windows the OS is so user-unfriendly; possibly because the devs are exclusively focused on enterprise features. I've been using Windows since Win3, but I nowadays find it nigh-impossible to administer my own machine.
I've been thinking of replacing Windows with Devuan on this one hold-out machine for months.
I remember the Windows XP days where you'd regularly find computers that hadn't successfully updated in months or years and it was a whole day effort to get them patched
Windows 10 Reboot Blocker works ok. It runs as a service and keeps readjusting active hours to prevent reboots
They somehow manage to ship catastrophically everything breaking shit extremely regularly.
Presumably almost nobody has NFS enabled on a Windows box?
Though you'll usually see samba/cifs more whenever Windows is involved
It worked well enough. Would never run that at work or in production though.
https://www.youtube.com/watch?v=QBkH1g4DuKE
I use it for ISO storage in vSphere cluster, works fine.
People use it for storing actual VMs, but that requires a working AD/Krb integration between ESXi and AD which I don't use.
Still, have to agree it is the easiest way to file share between them.
For me both of them require arcane commands to use which I need to search each time I need them, but NFS is a bit less arcany for me.
fstab:
//WIN_SHARE_IP/share_name /mnt/win_share cifs credentials=/etc/win-credentials,file_mode=0755,dir_mode=0755 0 0
where a NFS fstab mount is something like this:
10.10.0.10:/backups /var/backups nfs defaults 0 0
Last year, I wrote a blog post about it: https://furbasik.de/nfs-is-the-new-samba
I would not use it in an office though.
If I were a security researcher I would look at anything that came from win 3.11, probably full of holes
But NFS probably isn't the top priority for Microsoft, the implementation of NFS 3 felt sketchy, so in that way it's not overly surprising.
Even if this exploit only touches completely new code, my point still stands that windows has multiple layers of archeology which were designed when security was an afterthought.
Some of these are preinstalled with Windows, use networking and run as SYSTEM (WMI, spool) others are used by enough components in windows they will never be removed yet it doesn’t seem they are undergoing any development (COM/OLE)