Patch Tuesday: Two zero-day flaws in Windows want rapid consideration
The December Patch Tuesday replace from Microsoft fixes 59 flaws, together with two zero-day vulnerabilities in Windows that should be addressed immediately.
Microsoft / IDG
Microsoft’s December Patch Tuesday up to date delivers 59 fixes, together with two zero-days (CVE-2022-44698 and CVE-2022-44710) that require rapid consideration on the Windows platform. This is a community targeted replace (TCP/IP and RDP) that may require vital testing with an emphasis on ODBC connections, Hyper-V techniques, Kerberos authentication, and printing (each native and distant).
Microsoft additionally revealed an pressing out-of-band replace (CVE-2022-37966) to deal with severe Kerberos authentication points. (The staff at Readiness has offered a useful infographic that outlines the dangers related to every of those updates.)
And Windows Hot-Patching for Azure Virtual Machines (VMs) is now obtainable.
Known points
Each month, Microsoft features a record of identified points that relate to the OS and platforms included on this replace cycle.
- ODBC: After putting in the December replace, functions that use ODBC connections by way of Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to entry databases won’t join. You may obtain the next error messages: “The EMS System encountered an issue. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token acquired from SQL Server”.
- RDP and Remote Access: After you put in this or later updates on Windows desktop techniques, you is perhaps unable to reconnect to (Microsoft) Direct Access after quickly shedding community connectivity or transitioning between Wi-Fi networks or entry factors.
- Hyper-V: After putting in this replace on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you may obtain an error on workflows involving creating a brand new Network Adapter (additionally referred to as a Network Interface Card or NIC) joined to a VM community or a brand new Virtual Machine (VM).
- Active Directory: Due to further safety necessities in addressing the safety vulnerabilities in CVE-2022-38042, new safety checks are applied on area web be part of requests. These further checks could generate the next error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the identical identify exists in Active Directory. Re-using the account was blocked by safety coverage.”
In preparation for the month’s replace to Windows 10 and 11 techniques, we advocate runningan evaluation on all software packages and search for a dependency on the system file SQLSRV32.DLL. If you have to examine a selected system, open a command immediate and run the command “tasklist /m sqlsrv32.dll.” This ought to record any processes that depend upon this file.
Major revisions
Microsoft revealed only one revision this month, with no different revisions to earlier patches or updates launched.
- CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability: To deal with a identified concern the place Kerberos authentication may fail for person, laptop, service, and GMSA accounts when serviced by Windows area controllers. This patch revision has been launched as a uncommon out-of-band replace and would require rapid consideration, if not already addressed.
Mitigations and workarounds
While there have been a number of documentation updates and FAQs added to this launch, Microsoft revealed a single mitigation:
- CVE-2022-37976: Active Directory Certificate Elevation of Privilege: A system is susceptible to this safety vulnerability provided that each the Active Directory Certificate Services position and the Active Directory Domain Services position are put in on the identical server within the community. Microsoft has revealed a set of registry keys (LegacyAuthenticationLevel) that may assist scale back the floor space of this concern. You can discover out extra about defending your techniques right here.
Testing steerage
Each month, the staff at Readiness analyzes the most recent updates and gives testing steerage. This steerage relies on assessing a big software portfolio and an in depth evaluation of the Microsoft patches and their potential impression on the Windows platforms and software installations.
Given the big variety of modifications included this cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams.
High Risk: This month, Microsoft has not recorded any high-risk performance modifications. This means it has not made main modifications to core APIs or performance to any of the core parts or functions included within the Windows desktop and server ecosystems.
More usually, given the broad nature of this replace (Office and Windows) we propose testing the next Windows options and parts:
- Bluetooth: Microsoft has up to date two units of key API/Header recordsdata for Bluetooth drivers together with: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL and DeviceIoControl perform. The key testing activity right here is to allow after which disable Bluetooth, guaranteeing that your information connections are nonetheless working as anticipated.
- GIT: The Git Virtual File System (VfSForGit) has been up to date with modifications to the file and registry mappings. You can learn extra about this key (inner) Windows improvement software right here.
In addition to those modifications and testing necessities, I’ve included a number of the harder testing eventualities for this replace:
- Windows Kernel: This month sees a broad replace to the Windows kernel (Win32kfull.sys) that may have an effect on the first desktop UI expertise. Key options patched embrace the Start menu, the settings applet, and File Explorer. Given the large UI testing floor, a bigger testing group could also be required on your preliminary roll-out. If you continue to see your desktop or taskbar, take that as a constructive signal.
Following final month’s replace to Kerberos authentication, there have been a number of reported points associated to authenticating, particularly throughout remote-desktop connections. Microsoft detailed the next eventualities and associated points addressed this month:
- Domain person sign-in could fail. This additionally may have an effect on Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for companies comparable to Internet Information Services (IIS Web Server) may fail to authenticate.
- Remote Desktop connections utilizing area customers may fail to attach.
- You is perhaps unable to entry shared folders on workstations and file shares on servers.
- Printing that requires area person authentication may fail.
All these eventualities require vital testing earlier than a basic deployment of the December replace.
Unless in any other case specified, we must always now assume that every Patch Tuesday replace would require testing of core printing features together with:
- printing from directly-connected printers.
- add a printer, after which take away a printer (that is new for December).
- giant print jobs from servers (particularly if they’re additionally area controllers).
- distant printing (utilizing RDP and VPNs).
- take a look at bodily and digital eventualities with 32-bit apps on 64-bit machines.
Windows lifecycle replace
This part consists of essential modifications to servicing (and most safety updates) to Windows desktop and server platforms. As that is an end-of-year replace, there are fairly a couple of “End of Service” modifications, together with:
- Windows 10 (Enterprise, Home, Pro) 21H2 – Dec. 12, 2022.
- Windows 8.1 – Jan. 10, 2023.
- Windows 7 SP1 (ESU) – Jan. 10, 2023.
- Windows Server 2008 SP2 (ESU) – Jan. 10, 2023.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (each desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Adobe (retired???, possibly subsequent 12 months),
Browsers
Following a welcome development of no crucial updates to Microsoft’s browsers, this replace delivers simply three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated essential. These updates have an effect on the Microsoft Chromium browser and will have marginal to low impression in your functions. Add these updates to your commonplace patch launch schedule.
Windows
Microsoft launched patches to the Windows ecosystem this month that deal with three crucial updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated essential and two rated reasonable. Unfortunately, this month we now have these two zero-days affecting Windows with experiences of CVE-2022-44698 exploited within the wild and CVE-2022-44710 publicly disclosed. We have crafted particular testing suggestions, noting that there are reported points with Kerberos, Hyper-V and ODBC connections.
Add this replace to your “Patch Now” launch schedule.
Microsoft Office
Microsoft addressed two crucial vulnerabilities in SharePoint Server (CVE-202244693 and CVE-2022-44690) which are comparatively simple to use and don’t require person interplay. The remaining two vulnerabilities have an effect on Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are low-profile, low impression modifications. Unless you are internet hosting your individual SharePoint servers (oh, why?), add these Microsoft updates to your commonplace launch schedule.
Microsoft Exchange Server
Microsoft has not launched any updates, patches or safety mitigations for Microsoft Exchange Server. Phew!
Microsoft improvement platforms
Microsoft addressed two crucial vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Though each safety points are rated crucial, they require native admin entry and are thought of each troublesome and complicated to use. Mark Russinovich’s Sysmon additionally wants an replace with the elevation-of-privilege vulnerability CVE-2022-44704 and all supported variations of Visual Studio will likely be patched. Add these updates to your commonplace developer launch schedule.
Adobe Reader (nonetheless right here, however not this month)
Adobe has launched three class 3 (equal to Microsoft’s ranking of essential) updates to Illustrator, Experience Manager and Campaign (Classic). No updates to Adobe Reader this month.