One of the Windows updates in the current cycle is for KB5034441, which addresses CVE-2024-20666. From what I can tell, exploiting this vulnerability requires physical access, so there's no risk of this being used in remote attacks. The actual risk to most users is probably very low. Still, it allows security features to be bypassed, so it should be fixed.
The problem is that this update is failing for many users with error code 0x80070643. Microsoft claims that this is due to the recovery partition not being large enough on some systems, though the error code is cryptic and unhelpful. Here's what Microsoft said about that:
Known issue Because of an issue in the error code handling routine, you might receive the following error message instead of the expected error message when there is insufficient disk space:
0x80070643 - ERROR_INSTALL_FAILURE
Windows isn't even telling users the correct error. Microsoft claims the update is failing on systems where the recovery partition isn't large enough. From my own experience, I have systems where I allowed the Windows installer to partition the drive automatically, meaning that Windows determined the size of the recovery partition. Windows 10 chose a size of 509 MB on my systems, and this doesn't seem to be scaled depending on the size of the user's drive. For most users, this is probably set automatically by the installer or the computer manufacturer. That said, I've read a user comment that the update failed on a system with a 15 GB recovery partition, so I'm not certain that this can really be blamed on insufficient disk space.
Microsoft's advice to users is that they need to manually resize the recovery partition. The commands are not intuitive, and there's absolutely no reason that Microsoft should be expecting ordinary users to be doing this. Resizing partitions is a fairly high risk operation, one that carries a risk of data loss if not done properly.
This vulnerability probably just isn't a risk at all for most users, but that's not necessarily obvious. They just see the message that a security update failed with a cryptic error message. It's Microsoft's responsibility to ensure that security updates just work when they're being installed on a system in a reasonably standard configuration. If the Windows installer chose a recovery partition of 509 MB, then Microsoft needs to make their updates work with a recovery partition of that size, or they need to automatically resize the partition. This is a dumpster fire, and it's inexcusable to expect Microsoft to expect users to manually repartition their drives.
Related Stories
For most people, Windows 10 will stop receiving critical security updates on October 14, 2025, roughly a decade after its initial release. For people using computers that can't upgrade to Windows 11 or organizations with dozens or hundreds of PCs to manage, Microsoft is making another three years of Extended Security Updates (ESUs) available, but only if you can pay for them. And the company is ready to start talking about pricing.
In a blog post published earlier this week, Microsoft's Jason Leznek writes that the first year of ESUs will cost $61 per PC for businesses that want to keep their systems updated.
And as with the Windows 7 ESUs a few years ago, Microsoft says that the price will double each year—so the second year of ESUs will cost $122 per PC, and the third year will cost a whopping $244 per device.
[...] Though Windows 11 launched in October of 2021, its adoption has mostly stalled out this year, and Windows 10 remains the most widely used version of Windows by a substantial margin. Statcounter data says that Windows 10 runs on 69 percent of all Windows PCs worldwide and 67 percent of PCs in the US, compared to about 27 and 29 percent for Windows 11 (respectively). The latest Steam Hardware Survey shows Windows 10 running on 54 percent of surveyed gaming PCs, compared to about 42 percent for Windows 11.
Related stories on SoylentNews:
(Score: 0, Insightful) by Frosty Piss on Friday January 12, @03:37AM (12 children)
Simply another "Micro$oft Sux" story on the M$ / Apple Hate site. God knows Linux updates and security fixes are flawless magic, and compared to Apple, Google's Android is a security powerhouse because you know Google cares about privacy and has never had a "Walled Garden"... The reality is that there were some bumps in the road for this security patch rollout, but they will undoubtedly be rapidly addressed and corrected.
(Score: 3, Interesting) by JoeMerchant on Friday January 12, @04:00AM (8 children)
You can make an automatic updater that works on your own desktop pretty easily.
You can make an automatic updater that works on 100 test systems eventually by learning how to recognize configurations that throw off your script and coding branches to accommodate every available test system. Validate and ship, right?
Well, if you have more than 100 customers who monkey with the system in creative ways, there is a very good chance that more than one of their ideas may trip you up.
I just got done automating switching of Ubuntu network configuration between DHCP and one of two fixed IP configurations, network either up or down at the kernel admin setting. That's six states, each able to transition to four other states. But wait, there's more... The network cable can be unplugged, or plugged into a network without or with a DHCP service running on it, so not six states but more like eighteen, with six possible transitions out of each.
Using nmcli and ip, there are fun wrinkles like needing to erase the fixed IP address configuration on nmcli when turning on DHCP client (auto mode), and if you have a gateway configured you have to erase it before erasing the fixed IP address. There's IP4 and IP6 settings, oh and do you want an option to specify DNS servers with that?
🌻🌻 [google.com]
(Score: 2) by RS3 on Friday January 12, @04:46AM (7 children)
Did that include modding the routing table? I assume yes. Always fun stuff, especially when you're remote into the system and you remove your own route. I'm pretty sure I never did that. I've done similar dumb things, but can always remote into another system and remote from there to the target.
(Score: 4, Funny) by driverless on Friday January 12, @06:17AM (3 children)
Not always necessary, you can get auto-feeders that magnetically attach to the routing table. It's only for table saws that you need to bolt them to the fence.
(Score: 3, Funny) by RS3 on Friday January 12, @07:05AM (2 children)
I tried that but they wouldn't stick. My routing table is aluminium. I might have to drill and bolt. Wadduhya think about double-sided tape?
(Score: 3, Touché) by JoeMerchant on Friday January 12, @01:22PM (1 child)
>Wadduhya think about double-sided tape?
That sounds like Redmond thinking to me.
🌻🌻 [google.com]
(Score: 3, Insightful) by driverless on Saturday January 13, @11:54PM
Naah, they'd ship with single-sided tape, then about a week later put out a statement saying they've received reports that some auto-feeders may become detached during operation and they've investigating.
(Score: 2) by JoeMerchant on Friday January 12, @10:37AM (2 children)
I was able to go ufw in this case, so there is a ufw -- reset followed by about 8 more commands, and as we add services that need to have openings that will only grow longer.
🌻🌻 [google.com]
(Score: 2) by RS3 on Friday January 12, @02:42PM (1 child)
Oh cool, I haven't used ufw, haven't needed to, but thanks, it looks good.
(Score: 2) by JoeMerchant on Friday January 12, @02:54PM
Calling ufw uncomplicated is a stretch, but it is easier to use (harder to do nonsensical things) than straight up routing table manipulation.
🌻🌻 [google.com]
(Score: 5, Informative) by darkpixel on Friday January 12, @04:01PM (2 children)
Yeah, they pretty much are.
In addition to the 5-or-so computers in my house, I manage several thousand Linux servers and several hundred Linux firewalls. All Debian based.
I had *one* update around 2003 that gorked the graphics driver on some shit Dell corporate laptop I had at the time. Other than that, it's been nearly two decades since a Linux update broke anything I manage.
On the other hand, I also manage several thousand Windows machines. A mix of about 80% workstations and 20% Windows Server. Shit breaks monthly.
So yeah, I agree. Linux updates and security fixes are nearly flawless magic.
(Score: 2) by Reziac on Saturday January 13, @03:10AM (1 child)
Just to be a contrary example... I had a Neon update bork itself just a few months ago... installed, ran fine, let the updater run in whatever default mode it comes with, and after that it wouldn't boot.
Um. Well, on to the next distro in my annual trawl...
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Sunday January 14, @06:05PM
Heh...not all open source software is spectacular. KDE is terrible.
(Score: 5, Informative) by Runaway1956 on Friday January 12, @03:45AM
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666 [microsoft.com]
The vulnerability affects all current versions of Windows, but it's not clear that the update affects them all.
(Score: 1, Troll) by bzipitidoo on Friday January 12, @03:58AM (4 children)
MS update failures are too often blamed on a lack of storage space. Seems to be the default advice on the web when an update fails. The recovery partition isn't big enough. Or the boot partition isn't big enough. Whatever.
They lie. For the heck of it, on a machine where the update process for the latest update reached 99% before failing, I tried enlarging these partitions. The update still fails at 99%.
Anyone who updates Windows knows how incredibly irritating that is. Because even when it is working correctly, the Windows update process is godawful slow. Naturally, MS doesn't feel they need to admit their update process is slow, let alone explain why. To get to 99%, and then have it announce that it failed and is undoing the changes, arrgh.
(Score: 4, Informative) by krishnoid on Friday January 12, @04:51AM (1 child)
I'll take this opportunity to provide a link on how to delay updates by a month [pcmag.com], until you are ready to run the update manually and reboot the system yourself.
(Score: 5, Informative) by driverless on Friday January 12, @06:21AM
You do even better than that, run gpedit.msc, select Computer Configuration\Administrative Templates\Windows Components\Windows Update, click "Configure Automatic Updates", Enable, then select value in Options, 2 = Notify for download and install. This gives you control over when Microsofts latest bugload gets dumped on your system.
I usually wait 1-2 weeks after everyone else gets hit to see how bad the damage will be.
(Score: 2) by RS3 on Friday January 12, @04:52AM
I've had more problems with mysterious permissions problems. Often the update is trying to update a file that it can't get control of. A couple of times I had to shut down, mount the disc as slave in another system, manually copy in the updated files. Fairly often with Windows I get incorrect errors. Sometimes when trying to delete a folder and it gives some kind of permission error, or incorrectly says a file is in use (when it is not). Go in and delete the files, then back up one directory level and you can delete the folder. A few times I've had to resort to using "icacls". That's so much fun.
(Score: 2) by looorg on Friday January 12, @02:31PM
That said perhaps the fault is with the installer, shouldn't it check for space needed before it starts to unpack and try to install/copy the update only to later find out that whoopsie out of storage. Not that they are the only once that fall victim to this when it comes to installing things. It's apparently hard to check first, install later.
(Score: 4, Touché) by jb on Friday January 12, @04:39AM (2 children)
Repartitioning the disc is indeed the first step to fixing the problem: just delete all the existing partitions, then install a sane operating system instead. Problem solved.
(Score: 0) by Anonymous Coward on Friday January 12, @04:55AM (1 child)
Yes, absolutely, turn it into a Hackintosh [wikipedia.org]. Problem solved. :)
(Score: 3, Touché) by Gaaark on Friday January 12, @06:38PM
Enjoy the view of the wall in your garden.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RS3 on Friday January 12, @05:02AM (2 children)
This problem isn't affecting me as I'm not actively running Win10. MS's instructions for resizing might not need to be done in CLI. In Windows disk management you can resize partitions GUI. You might have to shrink C: first. You might have to enable "dynamic disk", and I'm not sure what the pros and cons are of that. Anyone know if this would work?
(Score: 4, Funny) by Barenflimski on Friday January 12, @05:52AM (1 child)
I'll let you know what grandma says after she tries that.
(Score: 2) by RS3 on Friday January 12, @07:08AM
Okay, but no fair helping her!
(Score: 5, Funny) by driverless on Friday January 12, @06:04AM (1 child)
That's the description for pretty much every Microsoft error code ever, you get an 0x80..... error that tells you absolutely nothing, and then have to find another machine that hasn't crashed with an incomprehensible error message to Google whatever the 0x80..... may mean.
At which point you get dozens of hits to posts from other people who have encountered the same error and also have no idea what it means.
To their credit, in more recent versions of Windows Microsoft have made the errors more user-friendly by displaying "Something went wrong" alongside the error code, because without that you'd never suspect that your entire screen turning blue and the machine locking up meant that something had gone wrong.
(Score: 3, Informative) by ElizabethGreene on Friday January 12, @10:02PM
The majority of those error codes *are* helpful if you know that the Microsoft Error Code Lookup Tool [microsoft.com] exists.
You're welcome. :)
(Score: 4, Informative) by RamiK on Friday January 12, @06:55PM
The "manually resize the recovery partition [microsoft.com]" instructions are broken:
1. Running "ReAgentC /Enable" (step 8) on the newly made partition will fail since you didn't copy winre.wim into the new partition before deleting the old partition in step 4.h. Worse, the error won't explain the issue properly so only people who understand what ReAgentC actually does will be able to spot the issue. Most, will simply be left with a cryptic error message and no recovery partition.
2. Say that your google-fu is strong and you somehow figured out the issue and that you can copy winre.wim from the system's backup using something like "RoboCopy.exe C:\Windows\System32\Recovery\ Q:\Recovery\WindowsRE\ Winre.wim /copyall /dcopy:t /move". Well, minor caveat: Some vendors, of laptops in particular, add storage drivers into winre.wim to access storage that is required for, well, recovery. And while it makes perfect sense for Microsoft to keep the two copies up-to-date, those bi-annual updates sometimes (but not always) overwrite it. It's why Dell has this up: https://www.dell.com/community/en/conversations/image-assist/windows-10-recovery-system-reset-failed-workaround-add-most-recent-drivers-to-winre/647f94b8f4ccf8a8de714ec7 [dell.com]
3. The docs don't address the typical windows 10 partition scheme that puts the recovery partition before the system partition and sometimes before the EFI partition. e.g. my mom's old laptop:
~500MB Recovery partition.
~100MB EFI partition.
~250GB System partition.
So, with such a scheme, shrinking the system partition will achieve nothing. In fact, following the instructions will create an even smaller (250mb) sized new recovery partition at the end of the drive that won't have winre.wim and that, even if copied into it, will not have enough room for the update to be applied. And, of course, any of the vendor drivers...
The correct solution, in case you're wondering, is to shrink a GB off the system partition, format it as a recovery partition, assign it and the old recovery partition drive letters, robocopy the old recovery partition into the new recovery partition, unmount the drive letters, delete the old recovery partition and, finally, run "ReAgentC.exe /Enable".
This *should* work unless the vendor did some REALLY crazy shit with winre.wim (some vendors stick GBs worth of crapware into their winre.wim...). Of course, you're also left with ~500MB of unallocated space in the top of the drive... But whatever.
compiling...
(Score: 2, Informative) by Anonymous Coward on Friday January 12, @10:00PM
I have data on this one.
This is part of the continuing saga of trying to fix the BlackLotus Secureboot bypass. That exploit works by replacing the standard windows bootloader with a vulnerable one from before 2021. The fix for that is technically easy. Blacklist all the vulnerable bootloader signatures and the trick doesn't work anymore. The problem with that approach is it means you can't secureboot from any old bootloader so you have to update them all including in WinRE, isos, PXE boot loaders, recovery disks, USB sticks, etc.
This month MS shipped updates for Win10 21H2, 22h2, Win11, and Server 2022 to automagically update the Windows Recovery (WinRe) images. Unfortunately, if you've deleted the WinRe partition, it fails. If the WinRe partition is smaller than ~260 mb, it also fails, but almost every customer I've talked to hitting the bug has removed the WinRe partition.
On the plus side, if you haven't seen the issue, you're not likely to see it. The update was only distributed through Windows Update so systems with WSUS or SCCM patching aren't impacted. They've throttled the update now so no-one should be automatically offered the buggy patch, and I expect they'll ship a smarter fix next month.
Don't delete your WinRe partitions.
(Score: 3, Insightful) by Beryllium Sphere (r) on Saturday January 13, @09:57AM (1 child)
This will save time and pain at every stage of the product lifecycle.
When you're just starting a good error report can save the time a debugger session would take.
When the software is in production, and you can't even run a debugger on a user's machine, things go faster for everyone if the problem is already described.
(Score: 2) by turgid on Monday January 15, @09:18PM
But throwing an exception and a stack trace looks much cooler.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].