Microsoft delivers strong Windows-focused updates for June's Patch Tuesday

Microsoft delivers strong Windows-focused updates for June's Patch Tuesday



Microsoft delivers strong Windows-focused updates for June’s Patch Tuesday
This month’s Patch Tuesday updates take care of 55 flaws in Windows, SQL Server, Microsoft Office, and Visual Studio, and embrace a zero-day vulnerability in a key Windows part.

Traitov / Getty Images

June’s Patch Tuesday updates, launched on June 14, tackle 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (although there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows part, CVE-2022-30190, led to a “Patch Now” suggestion for Windows, whereas the .NET, Office and SQL Server updates will be included in an ordinary launch schedule.

You can discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.

Key testing situations

Given the massive variety of modifications included on this June patch cycle I’ve damaged out the testing situations for prime danger and customary danger teams.

These high-risk modifications are more likely to embrace performance modifications, might deprecate current capabilities, and can possible require new testing plans. Test your signed drivers utilizing bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):

Each of those high-risk take a look at cycles should embrace a handbook shut-down, reboot, and restart. The following modifications will not be documented as together with useful modifications, however will nonetheless require a minimum of “smoke testing” earlier than normal deployment:

In addition to those customary testing tips, we advocate that every one core functions bear a testing regime that features self-repair, uninstall, and replace. This is as a result of modifications to Windows Installer (MSI) this month. Not sufficient IT departments take a look at the replace, restore, and uninstall capabilities of their software portfolio. It’s good to problem every software package deal as a part of the Quality Assurance (QA) course of that features the important thing software lifecycle levels of set up, activation, replace, restore, after which uninstall.

Not testing these levels might depart IT methods in an undesirable state — on the very least, it is going to be an unknown state.

Known points

Each month, Microsoft features a record of recognized points that relate to the working system and platforms affected this cycle. This month, there are some complicated modifications to think about, together with:

As it’s possible you’ll bear in mind, Microsoft printed an out-of-band replace (OOB) final month (on May 19). This replace affected the next core Windows Server primarily based networking options:

The safety vulnerabilities addressed by this OOB replace solely impacts servers working as area controllers and software servers that authenticate to area controller servers. Desktop platforms will not be affected. Due to this earlier patch, Microsoft has beneficial that this June’s replace be put in on all intermediate or software servers that cross authentication certificates from authenticated purchasers to the area controller (DC) first. Then set up this replace on all DC function computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key data part of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting solely after the June 14 replace has been put in on all intermediate or software servers and all DCs.

Did you get that? I need to observe with a sure sense of irony, that essentially the most detailed, order-specific set of directions that Microsoft has ever printed (ever), are buried deep, mid-way via a really lengthy technical article. I hope everyone seems to be paying consideration.

Major revisions

Though we’ve got fewer “new” patches launched this month, there are lots of up to date and newly launched patches from earlier months, together with:

  • Upgrade to Configuration Manager present department, model 2203 (Build 5.00.9078), which is obtainable as an in-console replace. See Checklist for putting in replace 2203 for Configuration Manager for extra data.
  • Apply the hotfix. Customers operating Microsoft Endpoint Configuration Manager, variations 1910 via variations 2111 who will not be capable of set up Configuration Manager Update 2203 (Build 5.00.9078) can obtain and set up hot-fix KB12819689.
  • I feel that we will safely work via the Visual Studio updates, and the Endpoint Configuration Manager modifications will take a while to implement, however each modifications should not have vital testing profiles. DCOM modifications are totally different — they’re robust to check and usually require a enterprise proprietor to validate not simply the set up/instantiation of the DCOM objects, however the enterprise logic and the specified outcomes. Ensure that you’ve got a full record of all functions which have DCOM dependencies and run via a enterprise logic take a look at, or you could have some disagreeable surprises — with very difficult-to-debug troubleshooting situations.

    Mitigations and workarounds

    For this Patch Tuesday, Microsoft printed one key mitigation for a critical Windows vulnerability:

    Making this modification would require a restart of the goal server.

    Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:

    Browsers

    We are seeing a welcome pattern of fewer and fewer important updates to the whole Microsoft browser portfolio. For this cycle, Microsoft has launched 5 updates to the Chromium model of Edge. They are all low danger to deploy and resolve the next reported vulnerabilities:

    A key issue on this downward pattern of browser associated safety points, is the decline and now retirement of Internet Explorer (IE). IE is formally not supported as of this July. The way forward for Microsoft’s browsers is Edge, in keeping with Microsoft. Microsoft has supplied us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your customary software launch schedule.

    Windows

    With 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the first focus — particularly given the low-risk, low-profile updates to Microsoft Browsers, Office, and growth platforms (.NET). The Windows updates cowl a broad base of performance, together with: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker parts. As talked about earlier, essentially the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment strategy, which can work nicely for this month’s updates, primarily as a result of variety of core infrastructural modifications that ought to be picked up in early testing. (Microsoft has printed one other video in regards to the modifications this month to the Windows 11 platform, discovered right here.)

    Microsoft has mounted the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite three important updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) results in a “Patch Now” suggestion. 

    Microsoft Office

    Microsoft launched seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core basis library), all of them rated essential. The SharePoint server updates are comparatively low danger, however would require a server reboot. We have been initially frightened in regards to the RCE vulnerability in Excel, however on evaluation it seems that the “remote” in Remote Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; provided that it requires consumer interplay and entry to an area goal system, it’s a much-reduced danger. Add these low-profile Office updates to your customary patch deployment schedule.

    Microsoft Exchange Server

    We have a SQL server replace this month, however no Microsoft Exchange Server updates for June. This is nice information.

    Microsoft growth platforms

    Microsoft has launched a single, comparatively low-risk (CVE-2022-30184) replace to the .NET and Visual Studio platform. If you’re utilizing a Mac (I like the Mac model of Code), Microsoft recommends that you simply replace to Mac Visual Studio 2022 (nonetheless in preview) as quickly as attainable. As of July (sure, subsequent month) the Mac model of Visual Studio 2019 will not be supported. And sure, dropping patch help in the identical month as the subsequent model is launched is tight. Add this single .NET replace to your customary growth patch launch schedule.

    Adobe (actually, simply Reader)

    There aren’t any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a safety bulletin for his or her different (non-Acrobat or PDF associated) functions — all of that are rated on the lowest degree 3 by Adobe. There might be loads of work with printers within the coming weeks, so this can be a welcome reduction.

    Exit mobile version