Critical zero-days make September's Patch Tuesday a 'Patch Now' launch

Critical zero-days make September’s Patch Tuesday a ‘Patch Now’ launch
Microsoft centered on Windows with this month’s massive patch launch, pushing out 63 updates affecting the working system, Microsoft Office and the Visual Studio and .NET platforms. The launch got here amid reviews of three publicly exploited vulnerabilities.

Traitov / Getty Images

With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reviews of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday launch will get a “Patch Now” precedence. Key testing areas embrace printing, Microsoft Word, and on the whole utility un-installations. (The Microsoft Office, .NET and browser updates could be added to your customary launch schedules.)

You can discover extra data on the danger of deploying these Patch Tuesday updates with this useful infographic.

Key testing eventualities

Given the big variety of modifications included within the September patch cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:

High Risk: These modifications are prone to embrace performance modifications, could deprecate present performance, and can doubtless require the creation of latest testing plans:

• Test these newly-released performance updates. Please connect a digicam or cellphone to your PC and use the Photos import perform to import pictures and movies.
• Basic printing assessments are required this month because of performance modifications within the Windows spooler controller.

The following updates will not be documented as practical modifications, however nonetheless require a full take a look at cycle:

• Microsoft Office: Conduct fundamental testing on Word, PowerPoint, and Excel with a concentrate on SmartArt, diagrams, and legacy recordsdata.
• Test your Windows error logs, because the Windows Common Log File system has been up to date.
• Validate area controller authentication and area associated providers such Group Managed Service accounts. Include on-premise and off-premise testing as nicely.
• High-duration VPN testing is required, with VPN testing cycles that must exceed eight hours on each servers and desktops. Note: you will want to make sure that PKE fragmentation is enabled. We recommend the next PowerShell command: “HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIkev2” -Name AllowServerFragmentation -PropertyType DWORD -Value 1 -Force Restart-Service remoteaccess

In addition to those modifications and testing necessities, I’ve included a few of the harder testing eventualities for this replace:

• Test any utility utilizing the OLE DB interface and sqloledb.dll to make database connections. This course of would require an evaluation of your utility portfolio, in search of dependencies on the SQL OLE libraries and parts and centered testing on utility performance that makes use of these up to date options.
• Application un-installations would require testing because of modifications within the Enterprise Application Management home windows element. The massive problem right here is to check that an utility bundle has been absolutely uninstalled from a machine, that means all of the recordsdata, registry, providers and shortcuts have been eliminated. This contains all of the first-run settings and configuration knowledge associated to utility. This is a troublesome, time-consuming job that can require some automation to make sure constant outcomes.

Testing these vital and sometimes up to date options is now a truth of life for many IT departments, requiring devoted time, private and specialised processes to make sure repeatable constant outcomes.

Known points

Each month, Microsoft features a checklist of identified points that relate to the working system and platforms included on this replace cycle.

• Microsoft SharePoint Server: Nintex Workflow clients should take extra motion after this safety replace is put in to ensure workflows could be printed and run. For extra data, please discuss with this Microsoft help doc. 
• After putting in KB5001342 or later, the Cluster Service would possibly fail to begin as a result of a Cluster Network Driver is just not discovered. For extra details about the precise errors, trigger, and workaround, see KB5003571.
• Some enterprise customers should be experiencing points with XPS Viewers. A handbook re-install will doubtless resolve the difficulty.

Starting at 12 a.m. Saturday, Sept.10, the official time in Chile superior 60 minutes in accordance with the Aug. 9 announcement by the Chilean authorities of a daylight-saving time (DST) time zone change. This moved the DST shift from Sept. 4 to Sept. 10; the time change will have an effect on Windows apps, timestamps, automation, workflows, and scheduled duties. (Authentication processes that depend on Kerberos may additionally be affected.)

Major revisions

As of Sept. 16, Microsoft has not printed any main revisions to its safety advisories.

Mitigations and workarounds

There are 4 mitigations and workarounds included on this Patch Tuesday launch, together with:

• CVE-2022-35838: A prerequisite for a server to be weak is that the binding has HTTP/3 enabled. Currently, enabling HTTP/3 is completed by way of a registry key as mentioned on this article: Enabling HTTP/3 help on Windows Server 2022
• CVE-2022-34718: Please observe that this safety vulnerability is just not affected if IPv6 is just not enabled on the goal machine.
• CVE-2022-34691: Microsoft has printed supplementary documentation on certificate-based authentication modifications for Windows area controllers.
• CVE-2022-33679: For clients operating Server 2012 and those that use the Kerberos Armour service, there’s an choice to make use of Flexible Authentication Secure Tunnelling (FAST) that absolutely mitigates this Kerberos vulnerability. Microsoft has additionally printed helpful help documentation detailing completely different approaches to entry management utilizing Kerberos.

Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (each desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, perhaps subsequent 12 months).

Browsers

Microsoft has launched a single replace to the Edge browser (CVE-2022-38012) that has been rated as low ,regardless that it might result in distant code execution state of affairs because of its tough exploitation chain. In addition, there are 15 updates to the Chromium venture. Slightly out of sync with Patch Tuesday, Microsoft launched the newest model of the Edge Stable channel on Sept. 15 that accommodates a repair for CVE-2022-3075. You can learn extra about this replace’s launch notes and might discover out extra about Chromium updates. Add these low-profile browser updates to your customary launch schedule.

Note: you’ll have to deploy a separate utility replace to Edge — this will require extra utility packaging, testing, and deployment.

Windows

Microsoft addressed three vital points (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 points rated vital this month. This is one other broad replace that covers the next key Windows options:

• Windows Networking (DNS, TLS and the TCP/IP stack);
• Cryptography (IKE extensions and Kerberos);
• Printing (once more);
• Microsoft OLE;
• Remote Desktop (Connection Manager and API’s).

For Windows 11 customers, right here is that this month’s Windows 11 video replace. The three vital updates all have NIST scores of 9.8 (out of 10). Coupled with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) these make this month’s Windows replace a “Patch Now” launch.

Microsoft Office

Microsoft launched seven safety patches to the Office platform affecting Visio, PowerPoint, SharePoint and SharePoint Server. The Microsoft Visio and PowerPoint updates are low-profile deployments that needs to be added to your customary Office replace schedules. The SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) will not be rated vital, however they might result in a distant code execution state of affairs (although tough to use). We suggest including these two updates to your server replace schedule, noting that every one patched SharePoint Servers would require a restart.

Microsoft Exchange Server

Fortunately for us (and all IT admins) Microsoft has not printed any safety advisories for Microsoft Exchange merchandise this month.

Microsoft Development Platforms

Microsoft printed three updates rated vital for his or her developer instruments platform (CVE-2022-26929, CVE-2022-38013 and CVE-2022-38020) affecting Microsoft .NET and the Visual Studio platform. These three updates are comparatively low threat to deploy and needs to be added to your customary developer launch schedule.

Adobe (actually simply Reader)

Adobe printed six safety bulletins affecting: Animate, Bridge, Illustrator, InCopy, InDesign and RoboHelp. However, there have been no updates to Adobe Reader or different associated PDF merchandise. This could also be the results of Adobe being in any other case engaged with the $20 billion buy of Figma.

www.computerworld.com