A warning from Microsoft that a Windows patch issued last week may cause the Message Queuing (MSMQ) function in the operating system to malfunction could be behind multiple reports of internet of things (IoT) applications failing.
David Shipley, head of Canadian security awareness training provider Beauceron Security, says he saw a query on a Microsoft learning forum today asking if the MSMQ problem is behind the failure of a firm’s point of sale system to issue sales receipts.
Another person posted a query on a different Microsoft forum about a building in an unnamed city being without its fire alarm or smoke detector systems.
A link between these posts and the December 16 security update from Microsoft on the MSMQ issue couldn’t be confirmed. But Shipley said it is odd that Microsoft’s initial advice says that a workaround is available, but instead of detailing it, it urges admins to contact Microsoft Support For Businesses.
“The scariest words when it comes to a serious bug in Windows you’re trying to fix, that’s crashing your applications, is, ‘Call us,’” he said.
MSMQ is a protocol for secure messaging between applications, Shipley noted, so if there is a problem, “it’s going to break stuff.”
The Microsoft post says that individuals using Windows Home or Pro editions on personal devices are “very unlikely to experience this issue. This issue primarily affects enterprise or managed IT environments,” including those running clustered MSMQ environments under load.
Symptoms include:
- MSMQ becoming inactive;
- Internet Information Services (IIS) sites failing with “Insufficient resources to perform operation” errors;
- applications unable to write to queues;
- errors such as “The message file ‘C:WindowsSystem32msmqstorage*.mq’ cannot be created” when creating message files;
- misleading log entries such as “There is insufficient disk space or memory”, despite sufficient disk space and memory being available.
Affected are servers running Windows Server 2019 and 2016, Windows Server 2012 R2 and Windows Server 2012.
Also affected are PCs running Windows 10 version 22H2, Windows 10 version 21H2, Windows 10 version 1809, and Windows 10 version 1607. Support for Windows 10 ended October 14, so the issue should only affect these systems if admins have paid for extended support and received the December update.
This issue is caused by a December Patch Tuesday security update (KB5071546) that introduced changes to the MSMQ security model and NTFS permissions on the C:WindowsSystem32MSMQ storage folder. MSMQ users now require write access to this folder, which is normally restricted to administrators, says Microsoft. As a result, attempts to send messages via MSMQ APIs might fail with resource errors.
“A workaround is available for affected devices,” says the Microsoft update. “To apply the workaround and mitigate this issue in your organization, please contact Microsoft Support for business. We are investigating this issue and will provide more information when it is available.”
Jack Bicer, director of vulnerability research at Action1, suggested as a temporary workaround for MSMQ failures that Windows admins grant write access to the MSMQ directory C:WindowsSystem32msmq. Once Microsoft provides the official update, revert the directory permissions to their original state and deploy the fix, he said.
Danny Nguyen of Wicloud suggested on a Microsoft Learn forum that admins could either roll back the December security update (KB5071546) or adjust the permissions, as Bicer suggests. However, Nguyen urged admins to consult with their security team before making system-level permission changes.
A Microsoft spokesperson was asked for comment, but no response was received by press time.
This isn’t the first MSMQ problem in recent memory; last year Microsoft discovered a remote code execution vulnerability (CVE-2024-30008) that carried a criticality rating of 9.8.
In this case, however, said Robert Beggs, head of Canadian incident response firm DigitalDefence, although the cause of the issue is a security patch, the impact and workaround are not strictly security issues. Therefore, he believes the fix is a workaround that does not involve security and security support, but regular support for a Windows system.
As for the company’s reason for asking admins to contact Microsoft Support for Business for the workaround, he suggested that Microsoft may want to spread the workload to ensure that security support is not overworked.
More broadly, warned Shipley, any update that leads to a business application failure is the kind of issue that turns admins off patching. December is the biggest month of the year for retail, and not the time for POS machines to go down because of the installation of a new patch.
This article originally appeared on Computerworld.