Critical zero-days make September's Patch Tuesday a 'Patch Now' launch

Critical zero-days make September's Patch Tuesday a 'Patch Now' launch



Critical zero-days make September’s Patch Tuesday a ‘Patch Now’ launch
Microsoft centered on Windows with this month’s massive patch launch, pushing out 63 updates affecting the working system, Microsoft Office and the Visual Studio and .NET platforms. The launch got here amid reviews of three publicly exploited vulnerabilities.

Traitov / Getty Images

With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reviews of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday launch will get a “Patch Now” precedence. Key testing areas embrace printing, Microsoft Word, and on the whole utility un-installations. (The Microsoft Office, .NET and browser updates could be added to your customary launch schedules.)

You can discover extra data on the danger of deploying these Patch Tuesday updates with this useful infographic.

Key testing eventualities

Given the big variety of modifications included within the September patch cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:

High Risk: These modifications are prone to embrace performance modifications, could deprecate present performance, and can doubtless require the creation of latest testing plans:

The following updates will not be documented as practical modifications, however nonetheless require a full take a look at cycle:

In addition to those modifications and testing necessities, I’ve included a few of the harder testing eventualities for this replace:

Testing these vital and sometimes up to date options is now a truth of life for many IT departments, requiring devoted time, private and specialised processes to make sure repeatable constant outcomes.

Known points

Each month, Microsoft features a checklist of identified points that relate to the working system and platforms included on this replace cycle.

Starting at 12 a.m. Saturday, Sept.10, the official time in Chile superior 60 minutes in accordance with the Aug. 9 announcement by the Chilean authorities of a daylight-saving time (DST) time zone change. This moved the DST shift from Sept. 4 to Sept. 10; the time change will have an effect on Windows apps, timestamps, automation, workflows, and scheduled duties. (Authentication processes that depend on Kerberos may additionally be affected.)

Major revisions

As of Sept. 16, Microsoft has not printed any main revisions to its safety advisories.

Mitigations and workarounds

There are 4 mitigations and workarounds included on this Patch Tuesday launch, together with:

Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:

Browsers

Microsoft has launched a single replace to the Edge browser (CVE-2022-38012) that has been rated as low ,regardless that it might result in distant code execution state of affairs because of its tough exploitation chain. In addition, there are 15 updates to the Chromium venture. Slightly out of sync with Patch Tuesday, Microsoft launched the newest model of the Edge Stable channel on Sept. 15 that accommodates a repair for CVE-2022-3075. You can learn extra about this replace’s launch notes and might discover out extra about Chromium updates. Add these low-profile browser updates to your customary launch schedule.

Note: you’ll have to deploy a separate utility replace to Edge — this will require extra utility packaging, testing, and deployment.

Windows

Microsoft addressed three vital points (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 points rated vital this month. This is one other broad replace that covers the next key Windows options:

For Windows 11 customers, right here is that this month’s Windows 11 video replace. The three vital updates all have NIST scores of 9.8 (out of 10). Coupled with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) these make this month’s Windows replace a “Patch Now” launch.

Microsoft Office

Microsoft launched seven safety patches to the Office platform affecting Visio, PowerPoint, SharePoint and SharePoint Server. The Microsoft Visio and PowerPoint updates are low-profile deployments that needs to be added to your customary Office replace schedules. The SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) will not be rated vital, however they might result in a distant code execution state of affairs (although tough to use). We suggest including these two updates to your server replace schedule, noting that every one patched SharePoint Servers would require a restart.

Microsoft Exchange Server

Fortunately for us (and all IT admins) Microsoft has not printed any safety advisories for Microsoft Exchange merchandise this month.

Microsoft Development Platforms

Microsoft printed three updates rated vital for his or her developer instruments platform (CVE-2022-26929, CVE-2022-38013 and CVE-2022-38020) affecting Microsoft .NET and the Visual Studio platform. These three updates are comparatively low threat to deploy and needs to be added to your customary developer launch schedule.

Adobe (actually simply Reader)

Adobe printed six safety bulletins affecting: Animate, Bridge, Illustrator, InCopy, InDesign and RoboHelp. However, there have been no updates to Adobe Reader or different associated PDF merchandise. This could also be the results of Adobe being in any other case engaged with the $20 billion buy of Figma.

Exit mobile version