Microsoft delivers strong Windows-focused updates for June’s Patch Tuesday
This month’s Patch Tuesday updates take care of 55 flaws in Windows, SQL Server, Microsoft Office, and Visual Studio, and embrace a zero-day vulnerability in a key Windows part.
Traitov / Getty Images
June’s Patch Tuesday updates, launched on June 14, tackle 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (although there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows part, CVE-2022-30190, led to a “Patch Now” suggestion for Windows, whereas the .NET, Office and SQL Server updates will be included in an ordinary launch schedule.
You can discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.
Key testing situations
Given the massive variety of modifications included on this June patch cycle I’ve damaged out the testing situations for prime danger and customary danger teams.
These high-risk modifications are more likely to embrace performance modifications, might deprecate current capabilities, and can possible require new testing plans. Test your signed drivers utilizing bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):
- Run functions which have binaries (.EXE and .DLL) which might be signed and unsigned.
- Run drivers which might be signed and unsigned. Unsigned drivers shouldn’t load. Signed drivers ought to load.
- Use SHA-1 signed versus SHA-2 signed drivers.
Each of those high-risk take a look at cycles should embrace a handbook shut-down, reboot, and restart. The following modifications will not be documented as together with useful modifications, however will nonetheless require a minimum of “smoke testing” earlier than normal deployment:
- Test distant Credential Guard situations. (These exams would require Kerberos authentication, and should solely be used with the RDP protocol.)
- Test your Hyper-V servers and begin/cease/resume your Virtual Machines (VM).
- Perform shadow copy operations utilizing VSS-aware backup functions in a distant VSS deployment over SMB.
- Test deploy pattern functions utilizing AADJ and Intune. Ensure that you simply deploy and revoke entry as a part of your take a look at cycle.
In addition to those customary testing tips, we advocate that every one core functions bear a testing regime that features self-repair, uninstall, and replace. This is as a result of modifications to Windows Installer (MSI) this month. Not sufficient IT departments take a look at the replace, restore, and uninstall capabilities of their software portfolio. It’s good to problem every software package deal as a part of the Quality Assurance (QA) course of that features the important thing software lifecycle levels of set up, activation, replace, restore, after which uninstall.
Not testing these levels might depart IT methods in an undesirable state — on the very least, it is going to be an unknown state.
Known points
Each month, Microsoft features a record of recognized points that relate to the working system and platforms affected this cycle. This month, there are some complicated modifications to think about, together with:
- After putting in this June replace, Windows gadgets that use sure GPUs would possibly trigger functions to shut unexpectedly or trigger intermittent points. Microsoft has printed KB articles for Windows 11 (KB5013943) and Windows 10, model 21H2, all editions (KB5013942). No resolutions for these reported points but.
- After putting in this month’s replace, some .NET Framework 3.5 apps may need points or fail to open. Microsoft stated you may mitigate this concern by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
As it’s possible you’ll bear in mind, Microsoft printed an out-of-band replace (OOB) final month (on May 19). This replace affected the next core Windows Server primarily based networking options:
- Network Policy Server (NPS)
- Routing and Remote entry Service (RRAS)
- Radius, Extensible Authentication Protocol (EAP)
- Protected Extensible Authentication Protocol (PEAP)
The safety vulnerabilities addressed by this OOB replace solely impacts servers working as area controllers and software servers that authenticate to area controller servers. Desktop platforms will not be affected. Due to this earlier patch, Microsoft has beneficial that this June’s replace be put in on all intermediate or software servers that cross authentication certificates from authenticated purchasers to the area controller (DC) first. Then set up this replace on all DC function computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key data part of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting solely after the June 14 replace has been put in on all intermediate or software servers and all DCs.
Did you get that? I need to observe with a sure sense of irony, that essentially the most detailed, order-specific set of directions that Microsoft has ever printed (ever), are buried deep, mid-way via a really lengthy technical article. I hope everyone seems to be paying consideration.
Major revisions
Though we’ve got fewer “new” patches launched this month, there are lots of up to date and newly launched patches from earlier months, together with:
- CVE-2021-26414: Windows DCOM Server Security Feature Bypass. After this month’s updates are put in, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers might be enabled by default. Customers who want to take action can nonetheless disable it by utilizing the RequireIntegrityActivationAuthenticationDegree registry key. Microsoft has printed KB5004442 to assist with the configuration modifications required.
- CVE-2022-23267: NET and Visual Studio Denial of Service Vulnerability. This is a minor replace to affected functions (now affecting the MAC platform). No additional motion required.
- CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This is a minor replace to the record of affected functions (now affecting the MAC platform). No additional motion required.
- CVE-2022-24527: Microsoft Endpoint Configuration Manager Elevation of Privilege. This main replace to this patch is a little bit of a large number. This patch was mistakenly allotted to the Windows safety replace group. Microsoft has eliminated this Endpoint supervisor from the Windows group and has supplied the next choices to entry and set up this hot-fix:
- CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This replace now consists of protection for the next affected platforms: Windows 10 model 1607, Windows Server 2016, and Windows Server 2016 (Server Core set up). No additional motion required.
- CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This patch is private — we have been affected by this concern with huge server efficiency spikes. If you’re having issues with MSDT, it’s essential to learn the MSRC weblog publish, which incorporates detailed directions on updates and mitigations. To resolve our points, we needed to disable the MSDT URL protocol, which has its personal issues.
I feel that we will safely work via the Visual Studio updates, and the Endpoint Configuration Manager modifications will take a while to implement, however each modifications should not have vital testing profiles. DCOM modifications are totally different — they’re robust to check and usually require a enterprise proprietor to validate not simply the set up/instantiation of the DCOM objects, however the enterprise logic and the specified outcomes. Ensure that you’ve got a full record of all functions which have DCOM dependencies and run via a enterprise logic take a look at, or you could have some disagreeable surprises — with very difficult-to-debug troubleshooting situations.
Mitigations and workarounds
For this Patch Tuesday, Microsoft printed one key mitigation for a critical Windows vulnerability:
- CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability. This is the primary time I’ve seen this, however for this mitigation, Microsoft strongly recommends you put in the May 2022 replace first. Once achieved, you may cut back your assault floor space by disabling NFSV4.1 with the next PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this modification would require a restart of the goal server.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (each desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, possibly subsequent 12 months).
Browsers
We are seeing a welcome pattern of fewer and fewer important updates to the whole Microsoft browser portfolio. For this cycle, Microsoft has launched 5 updates to the Chromium model of Edge. They are all low danger to deploy and resolve the next reported vulnerabilities:
- CVE-2022-2007: Use after free in WebGPU
- CVE-2022-2008: Out of bounds reminiscence entry in WebGL
- CVE-2022-2010: Out of bounds learn in compositing
- CVE-2022-2011: Use after free in ANGLE
A key issue on this downward pattern of browser associated safety points, is the decline and now retirement of Internet Explorer (IE). IE is formally not supported as of this July. The way forward for Microsoft’s browsers is Edge, in keeping with Microsoft. Microsoft has supplied us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your customary software launch schedule.
Windows
With 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the first focus — particularly given the low-risk, low-profile updates to Microsoft Browsers, Office, and growth platforms (.NET). The Windows updates cowl a broad base of performance, together with: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker parts. As talked about earlier, essentially the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment strategy, which can work nicely for this month’s updates, primarily as a result of variety of core infrastructural modifications that ought to be picked up in early testing. (Microsoft has printed one other video in regards to the modifications this month to the Windows 11 platform, discovered right here.)
Microsoft has mounted the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite three important updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) results in a “Patch Now” suggestion.
Microsoft Office
Microsoft launched seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core basis library), all of them rated essential. The SharePoint server updates are comparatively low danger, however would require a server reboot. We have been initially frightened in regards to the RCE vulnerability in Excel, however on evaluation it seems that the “remote” in Remote Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; provided that it requires consumer interplay and entry to an area goal system, it’s a much-reduced danger. Add these low-profile Office updates to your customary patch deployment schedule.
Microsoft Exchange Server
We have a SQL server replace this month, however no Microsoft Exchange Server updates for June. This is nice information.
Microsoft growth platforms
Microsoft has launched a single, comparatively low-risk (CVE-2022-30184) replace to the .NET and Visual Studio platform. If you’re utilizing a Mac (I like the Mac model of Code), Microsoft recommends that you simply replace to Mac Visual Studio 2022 (nonetheless in preview) as quickly as attainable. As of July (sure, subsequent month) the Mac model of Visual Studio 2019 will not be supported. And sure, dropping patch help in the identical month as the subsequent model is launched is tight. Add this single .NET replace to your customary growth patch launch schedule.
Adobe (actually, simply Reader)
There aren’t any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a safety bulletin for his or her different (non-Acrobat or PDF associated) functions — all of that are rated on the lowest degree 3 by Adobe. There might be loads of work with printers within the coming weeks, so this can be a welcome reduction.
