Zero-Day Emergency Security Patching for Fully-Managed Windows servers, 2016 and up - 21:00 MST, January 14, 2020

Update :
All fully managed VPS/Dedicated Server with Windows 2016 and above OS have been patched and rebooted. All Unmanaged VPS/Dedicated server can contact our support desk for any assistance that they may require in installing the patch.

=======================================

Purpose of Work:
A spoofing vulnerability (CVE-2020-0601) affecting the Cryptography API in servers running Windows Server 2016 / Windows 10 or newer has been discovered. Said exploit allows attackers to spoof valid code-signing of arbitrary executables, allowing any malware to evade detection by typical means and bypass built-in protections by masquerading as legitimate programs, and allowing attackers to MITM encrypted connections far more easily by impersonating legitimate services.

Due to the ability of this vulnerability to subvert trusted services and exacerbate any future RCE vulnerabilities immensely, we will be patching and rebooting all affected, fully-managed hosts overnight.

Standalone hypervisors would be a general exception to this, and customer-owned Windows HVs that host unmanaged VMs should have their maintenance scheduled with us, separately.

Customers with their own update infrastructure will also be scheduled separately.


You can read more about the exploit (and patches mitigating it), here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

The NSA has made a post here regarding this exploit: https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/


We will update you as maintenance begins.

Impact of Work:
All affected hosts will be rebooted automatically / ASAP to propagate fixes, starting at 9PM MDT on Tuesday the 14th.

Internal systems on windows 2016 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.

Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.

Any hosts not on our fully-managed list will not be impacted during this process. Administrator for Unmanaged server can install the update from the above URL.

Please contact us with any questions / comments / concerns.