When even the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is starting to get nervous about your unpatched Windows 10 system, maybe it’s time to make sure you’ve downloaded everything you need from Windows Update.
This time around, the agency is reacting to the emergence of new proof-of-concept attacks related to a vulnerability that was discovered in March—yes, three months ago. The exploit, “SMBGhost,” takes advantage of an issue with Windows’ server message block protocol that could give an attacker unrestricted access to run whatever they want on an affected machine. (That includes servers, obviously, but also any unpatched clients connecting to one that has already been hit.)
And that’s not all, as TechCrunch’s Zack Whittaker describes:
Even though Microsoft published a patch months ago, tens of thousands of internet-facing computers are still vulnerable, prompting the advisory.
All you have to do to stay safe is make sure you’ve installed the latest updates for Windows 10. That’s it. It’s incredibly easy to do this on your home machines—and, really, they should be updated already if you’ve been using them regularly and have them connected to the internet.
Here’s the quirk, though. If you’re using a version of Windows 10 that’s older than version 1903 (released in May of last year), you’re in the clear. Your operating system doesn’t yet support SMBv3.1.1 compression, which is the source of the bug that’s being exploited by SMBGhost.
So, in some weird way, not updating has kept you safer from this attack than installing a major update and getting lazy about the rest. That’s not a practice you should continue, however. It’s time to update to the latest version of Windows—version 2004, as of when we wrote this article—and make sure you stay on top of your Patch Tuesday updates and any other critical out-of-schedule updates.
But there’s a caveat to that, too. As you no doubt know, Microsoft tends to have some issues with its various Windows 10 updates. So much so that it’s probably not worth your while to install every single update you can get your hands on the minute it’s released. As Woody Leonhard writes for Computerworld:
...we do occasionally get an emergency patch that needs prompt attention, but they’re exceedingly rare, and always well known – generally within hours of release. We saw that with Eternal Blue, with Sasser, and a few lesser-known security holes. Even in those cases, it took the cretins weeks or months to turn a known vulnerability into a mainstream attack.
By contrast, every month we see problems with patches. Locked up systems. Missing files. Scrambled applications. Undocumented and unannounced updates. If you aren’t well-acquainted with Windows patching woes – and convinced you really shouldn’t expose your machine to Microsoft patches as soon as they’re available – take a look at three years’ worth of problem reports, filed monthly in my Patch Alert series.
Were I you—and this is what I do, too—I’d make sure I’m using at least Windows version 1909. I’d then use its ability to pause Windows Updates, found via Settings > Update & Security, to keep your operating system from downloading and installing updates the moment they’re released.
As for how long you should wait before you install one, that’s up to you and the severity of the update in question. If an update is patching a zero-day exploit, you might want to err on the side of installing it sooner; if it’s a gigantic feature update, you can probably wait a week (or two weeks) to make sure that system-breaking bugs haven’t revealed themselves as part of the update’s public launch.
Is this taxing? Yes. Will you forget about it? Sure. Will you remember it when you can’t understand why your system worked well on Tuesday, but is coughing up some terrible glitch on a Wednesday morning? You will now.
This brings us back to SMBGhost. At the very least, make sure you’ve updated Windows 10 with KB4551762 if you’re using version 1903 or later. You can check to see if you already have it by looking up your update history at Settings > Update & Security > View update history. It’s also possible that the update might not appear—as is the case with my system, since I’m running Windows 10 version 2004 now.