Skip to main content

Epic fail: Critical Windows 10 security update failing to install

(Image credit: Shutterstock)

When the NSA issues a warning that you should update Windows, you should heed that warning. And yet a critical Windows 10 update is failing to install for some users.

According to the Windows Latest blog and complaints on Reddit, the important Windows 10 security update is causing installation problems for users whose machines run the May 2019 (1903) and November 2019 (1909) builds.

Instead, users are saying that they are being greeted with error messages. These are just some of them:

“We could not complete the install because an update service was shutting down.”

And…

“There were problems installing some updates, but we’ll try again later. 2020-01 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4528760) – Error 0x800f0988. Troubleshooter, sfc, dism don’t fix error.”

What to do now

The good news is that if you get an update error, you can install the Windows 10 cumulative update manually. 

1. Go to the Microsoft Update Catalog website.

2. Enter “KB4528760” into the search bar.

3. Click ‘Download’ next to the update version that’s compatible with your PC. (If you're not sure about your Windows build or system chipset, right-click the Windows icon at the bottom left of your screen, then select Settings --> System --> About.)

How bad is this bug?

Along with about 50 other security issues, the January 2020 cumulative update patches a very severe cryptographic flaw that lies "in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," Microsoft wrote in its advisory. 

According to our earlier reporting, a hacker could get you to download and install malware that pretended to be something benign, such as a software update, or perfectly mimic an otherwise secure website. Microsoft and even the best antivirus software would be none the wiser due to the spoofed digital signature.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software."

Several proof-of-concept exploits demonstrating what the flaw makes possible have been created since Tuesday, including one that appears to show Rick Astley's "Never Gonna Give You Up" video streaming on the NSA website.

That means that hackers could intercept and alter secure internet communications, including software updates and possibly even encrypted messages, depending on how the messaging software used Microsoft's own encryption tools. 

Yesterday (Jan. 16), Google patched its Chrome browser against the flaw. Microsoft's Edge and Internet Explorer browsers are patched by Wednesday's cumulative update. 

However, Mozilla's Firefox browser does not rely on the Windows CrytoAPI to verify communications and has never been vulnerable to this flaw.

Just the latest Windows 10 fail

Microsoft has had a rash of problems over the past year with Windows 10 updates, with many of them causing users issues. For example, a bug last February prevented people from installing the latest OS version. Several Windows users were hit with an error message when they tried connecting to Windows Update or the Windows Store. Sound familiar?

In September of 2019 one Windows update turned everything on screen orange for users. And yet another update that same month causes the Start menu and search bar to become unresponsive and broke audio when playing games.

In October one Windows 10 update caused a Blue Screen of Death. Last but not least, in November a Windows update broke File explorer and users were angry.

It's possible this particular problem stems from the fact that Windows 10 build 1903 and Windows 10 build 1909 are very similar, so much so that a single Patch Tuesday cumulative update applies to them both. (Other builds get individual Patch Tuesday rollups customized specially for them.) It could be that Windows Update isn't sure which build it's dealing with when it starts to apply the patch.

Let's hope the next update has fewer issues.