{"id":14990,"date":"2025-10-21T12:04:34","date_gmt":"2025-10-21T12:04:34","guid":{"rendered":"https:\/\/newestek.com\/?p=14990"},"modified":"2025-10-21T12:04:34","modified_gmt":"2025-10-21T12:04:34","slug":"security-patch-or-self-inflicted-ddos-microsoft-update-knocks-out-key-enterprise-functions","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14990","title":{"rendered":"Security patch or self-inflicted DDoS? Microsoft update knocks out key enterprise functions"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

An October 2025 Microsoft Windows security update is wreaking havoc on enterprises, impacting multiple systems with bugs ranging from annoying to showstopper.<\/p>\n

The update in KB5066835 was intended to strengthen Windows cryptography, by moving from the older Cryptographic Services Provider (CSP) to the more secure Key Storage Provider (KSP), but users may now be experiencing issues with authentication, websites, updates, and even use of mice and keyboards.<\/p>\n

These and other known issues<\/a> impact Windows versions designated for broad deployment, including Windows 10 (version 22H2), Windows 11 (versions 23H2, 24H2, and 25H2), and Windows Server (2012, 2016, 2022, and 2025 releases).<\/p>\n

\u201cThere are times when cybersecurity improvements in enterprise software result in some business interruption and adjustment until the software is updated and operating across platforms effectively,\u201d noted Jim Routh<\/a>, chief trust officer at Saviynt. \u201cThat is clearly the case here.\u201d<\/p>\n

The October 2025 Windows security update (KB5066835<\/a>) has caused issues with smartcard authentication, in addition to loss of the use of USB mice and keyboards within the Windows Recovery Environment (WinRE); IIS website loading failures; and disrupted updates installed from shared network folders using the Windows update standalone installer (WUSA).<\/p>\n

In addition, last week the security patch was discovered to have disrupted many development environments<\/a> in Windows 11, forcing companies to roll back updates.<\/p>\n

\u201cOverall patch quality coming out of the October updates is abysmal,\u201d said David Shipley<\/a> of Beauceron Security. \u201cBetween nuking localhost, keyboard and mouse issues in recovery mode, this is one of the worst QA\u2019d updates I can think of in years.\u201d<\/p>\n

Difficulty obtaining digital signatures<\/h2>\n

Smart card authentication and certificate issues include smart cards not being recognized as Cryptographic Service Providers (CSPs) in 32-bit applications, users\u2019 inability to digitally sign documents, and failures in apps relying on certificate-based authentication. Resultant error messages have included \u201cinvalid provider type specified\u201d and \u201cCryptAcquireCertificatePrivateKey error.\u201d<\/p>\n

That means, explained Saviynt\u2019s Routh, \u201cusers may experience difficulty getting digital signatures for electronic documents.\u201d<\/p>\n

Microsoft says the issue was the result of a \u201csecurity improvement\u201d meant to enhance cryptography. Users can resolve<\/a> it by modifying the DisableCapiOverrideForRSA registry key, then closing and restarting Windows. However, Microsoft emphasizes that incorrectly editing the registry can cause system issues, so users should always make backups before making any changes.<\/p>\n

Smartcard authentication is typically used in environments where high-assurance authentication is necessary, said Bob Wilson<\/a>, cybersecurity advisor at Info-Tech Research Group, which makes them critical to some functions.<\/p>\n

\u201cOf course, the biggest issues will be around disruption of business processes,\u201d he said. In addition, if the authentication mechanisms are broken, an organization might fall back on weaker authentication practices or less secure workarounds, allowing threat actors to take advantage.<\/p>\n

\u201cIt\u2019s ironic that a patch meant to improve security could potentially weaken the security posture of an organization,\u201d Wilson noted. \u201cThis is a pretty good example of how vendor-driven changes can introduce issues.\u201d<\/p>\n

Malfunctioning devices, failed connections, and installation errors<\/h2>\n

Update KB5066835 can also cause USB devices, including keyboards and mice, to malfunction in WinRE, preventing navigation in recovery mode. However, the keyboard and mouse do continue to work normally within the Windows OS. Microsoft has now released an out-of-band update, KB5070773<\/a>, to address the issue.<\/p>\n

Additionally, the security update may cause issues with incoming connections<\/a> for server-side applications that rely on HTTP.sys. IIS websites may fail to load, with users receiving messages including \u201cERR_CONNECTION_RESET).\u201d This includes websites hosted on http:\/\/localhost\/, and other IIS connections.<\/p>\n

Microsoft advises that the issue can be resolved by searching for and installing updates, then restarting devices whether or not updates were found.<\/p>\n

Furthermore, KB5066835 is causing failures in WUSA, a mechanism for installing updates using the Windows Update Agent API in enterprise environments. Users may receive the error \u201cERROR_BAD_PATHNAME\u201d when interacting with .msu update files when there is more than one .msu file in a shared network folder.<\/p>\n

Users can workaround the issue by saving .msu files locally and installing the update from the local file. If, after restarting Windows, the Update History page in Settings still says a restart is required, then wait 15 minutes for it to refresh. \u201cAfter this short delay, the Settings app should properly indicate if the update installed successfully,\u201d Microsoft said.<\/p>\n

The company said it has mitigated the issue via Known Issue Rollback<\/a>, and a fix will be released in a future Windows update.<\/p>\n

How enterprises should respond<\/h2>\n

Beauceron Security\u2019s Shipley noted that, overall, these flaws will impact \u201ca few significant organizations in a significant way,\u201d particularly those in banking, government, and defense that require a high level of security control.<\/p>\n

In the short term, Info-Tech\u2019s Wilson advised affected organizations to perform the recommended update to the \u201cDisableCapiOverrideForRSA\u201d registry key, changing its value to \u201c0.\u201d They could also put off deploying that particular patch for smartcard authentication.<\/p>\n

\u201cThey\u2019ll need to work with vendors to obtain apps, drivers, and tools that align with changes in how Microsoft is approaching cryptography<\/a>,\u201d said Wilson, emphasizing that this registry key will disappear in April 2026, eliminating the workaround.<\/p>\n

In the long term, he said, organizations can protect themselves from these and similar situations by:<\/p>\n

Establishing processes that test patches and manage changes through a change control process.<\/p>\n

Having multiple paths for authentication, especially for critical and privileged accounts.<\/p>\n

Maintaining contingency plans for critical processes in case authentication systems fail.<\/p>\n

\u201cThe current user challenges will be abated over time as more operating systems are upgraded,\u201d noted Saviynt\u2019s Routh. Ultimately, \u201cthe new technology\/cryptography in the update represents an improvement in the operating system\u2019s security.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

An October 2025 Microsoft Windows security update is wreaking havoc on enterprises, impacting multiple systems with bugs ranging from annoying to showstopper. The update in KB5066835 was intended to strengthen Windows cryptography, by moving from the older Cryptographic Services Provider (CSP) to the more secure Key Storage Provider (KSP), but users may now be experiencing issues with authentication, websites, updates, and even use of mice… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14990","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14990"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14990\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}