Microsoft Distributes Broken Security Update, Tells Users to Manually Repartition Their Drives
An Anonymous Coward writes:
One of the Windows updates in the current cycle is for KB5034441, which addresses CVE-2024-20666. From what I can tell, exploiting this vulnerability requires physical access, so there's no risk of this being used in remote attacks. The actual risk to most users is probably very low. Still, it allows security features to be bypassed, so it should be fixed.
The problem is that this update is failing for many users with error code 0x80070643. Microsoft claims that this is due to the recovery partition not being large enough on some systems, though the error code is cryptic and unhelpful. Here's what Microsoft said about that:
Known issue Because of an issue in the error code handling routine, you might receive the following error message instead of the expected error message when there is insufficient disk space:
0x80070643 - ERROR_INSTALL_FAILURE
Windows isn't even telling users the correct error. Microsoft claims the update is failing on systems where the recovery partition isn't large enough. From my own experience, I have systems where I allowed the Windows installer to partition the drive automatically, meaning that Windows determined the size of the recovery partition. Windows 10 chose a size of 509 MB on my systems, and this doesn't seem to be scaled depending on the size of the user's drive. For most users, this is probably set automatically by the installer or the computer manufacturer. That said, I've read a user comment that the update failed on a system with a 15 GB recovery partition, so I'm not certain that this can really be blamed on insufficient disk space.
Microsoft's advice to users is that they need to manually resize the recovery partition. The commands are not intuitive, and there's absolutely no reason that Microsoft should be expecting ordinary users to be doing this. Resizing partitions is a fairly high risk operation, one that carries a risk of data loss if not done properly.
This vulnerability probably just isn't a risk at all for most users, but that's not necessarily obvious. They just see the message that a security update failed with a cryptic error message. It's Microsoft's responsibility to ensure that security updates just work when they're being installed on a system in a reasonably standard configuration. If the Windows installer chose a recovery partition of 509 MB, then Microsoft needs to make their updates work with a recovery partition of that size, or they need to automatically resize the partition. This is a dumpster fire, and it's inexcusable to expect Microsoft to expect users to manually repartition their drives.
Read more of this story at SoylentNews.