Patch Tuesday replace addresses 123 vulnerabilities, two vital zero-days

Patch Tuesday replace addresses 123 vulnerabilities, two vital zero-days
This month’s Patch Tuesday offers with quite a lot of safety points in Microsoft Windows, Office, Exchange, and Visual Studio. It’s a broad replace throughout Microsoft merchandise that may require planning and testing earlier than normal deployment.

Traitov / Getty Images

Microsoft’s August Patch Tuesday launch addresses 123 safety points in Microsoft Windows, Office, Exchange (it is again!) and Visual Studio — and sadly, we’ve got two zero-days with stories of energetic exploitation within the wild. Since that is a broad replace, it is going to require planning and testing earlier than deployment.

The first (CVE-2022-34713) happens within the Windows diagnostic instruments and the second (CVE-2022-30134) impacts Microsoft Exchange. Basically, the vacations are over and it is time to concentrate to Microsoft updates once more. We have made “Patch Now” suggestions for Windows, Exchange and Adobe for this month.

You can discover extra data on the chance of deploying these Patch Tuesday updates on this infographic.

Key testing situations

Given the big variety of adjustments included on this August patch cycle, I’ve damaged down the testing situations into excessive danger and customary danger teams:

High Risk: These are prone to embody performance adjustments, might deprecate present performance and can doubtless require creating new testing plans:

Service Stack Update: There is a major change to the Microsoft Servicing Stack (SSU). I’ve written a quick explainer that particulars a number of the ways in which Microsoft “updates the replace course of” and the way its servicing stack has moved to a singular, mixed replace every Patch Tuesday. The adjustments included for August would require reboot testing to gather/collate after which parse occasion viewer logs. Microsoft supplied a helpful reference to Windows Boot Manager occasion viewer recordsdata present in KB5016061.
Web Printing: Though there don’t look like any purposeful adjustments, Microsoft has up to date how net paperwork (HTML and JPEG) are printed. Basic print testing is required right here. It would not appear like this replace will take down any servers, printer server or in any other case.

The following updates are usually not documented as purposeful adjustments, however nonetheless require a full take a look at cycle:

Microsoft FAX: Like printing, we now have to check enterprise FAX providers with every Patch Tuesday replace. This month’s replace is definitely fairly cool; it addresses a vulnerability in junctions, which I’ve not used because the early 2000’s. Here’s a touch: keep away from FAX drivers, and do not use junctions. They had been a cool technique to deal with listing redirect necessities by way of the registry — and are undoubtedly not wanted in a contemporary desktop.
DirectComposition: This Windows part permits for speedy bitmapping and animations. There was an API replace this month that may require testing for internally developed purposes. I can not share the precise API adjustments, however I recommend you scan your purposes (and subsequently take a look at) for any references for IDCompositionDevice3.
Microsoft Office Updates: We advocate a normal “smoke” take a look at for all up to date Microsoft Office merchandise this month. Specifically for Outlook, we advocate testing with a Gmail account after which switching to a Microsoft account; take a look at sending invitations between accounts. This applies to all supported variations of Microsoft Office.

Given the adjustments to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it could be value taking a look at some Microsoft testing platforms such because the Microsoft Test Authoring and Execution Framework (TAEF). You must know C++ or C# and you’ll need the Windows Driver package (WDK). Noting that for every of those testing situations, a handbook shut-down, reboot and restart is usually recommended, with a give attention to Boot Manager entries within the occasion viewer logs.

Known points

Each month, Microsoft features a checklist of identified points that relate to the working system and platforms which can be included on this replace cycle. This month, there are some actually complicated adjustments:

The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading on techniques with the Unified Extensible Firmware Interface (UEFI). The KB5012170 replace provides modules to the DBX in an try to handle a vulnerability that exists within the safe boot loader course of. Unfortunately, if BitLocker is enabled with the PCR7 binding, this replace might fail. To resolve this subject, use the next command: “Manage-bde –Protectors –Disable C: -RebootCount 1.” Then deploy the replace and reboot.
After putting in KB4493509, gadgets with some Asian language packs put in might obtain the error “0x800f0982 -PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. PSFX is a differential compression mode utilized in decreasing the dimensions of Microsoft updates. Microsoft has in all probability printed essentially the most attention-grabbing replace and deployment and packaging article ever to be included in the course of a protracted technical article associated to packaging and updates. Given that this subject pertains to how Windows installs feature-level parts, Microsoft recommends reinstalling any language packs. This normally solves the issue — although it’s not an official repair.
After putting in this month’s replace on Windows 10 builds, IE mode tabs in Microsoft Edge would possibly cease responding when a website shows a modal dialog field. Microsoft continues to be engaged on an official repair.

And for the most recent launch of Windows 11, it seems to be as if this month’s replace might result in the utility XPS Viewer behaving badly (utilizing growing processor and reminiscence assets) earlier than closing unexpectedly (i.e. badly). A reboot will remedy the difficulty till Microsoft posts a repair.

Major revisions

Though we’ve got fewer “new” patches launched this month, there are loads of up to date and newly launched patches from earlier months:

CVE-2022-26832: NET Framework Denial of Service Vulnerability. This is the fourth replace to this .NET safety repair. First launched in April, all subsequent revisions have associated to updating the merchandise which can be affected by this patch. It seems that every one variations of Windows 10, Windows Server 2016 and with this newest revision, Windows 8 and Server 2012, are affected. If you are utilizing Windows replace (and even Autopatch), no additional motion is required.
CVE-2022-30130: .NET Framework Denial of Service Vulnerability. This revision to May’s replace now consists of protection for Windows 8 and Server 2012. This is barely an informational replace — no additional motion required.
ADV200011: Microsoft Guidance for Addressing Security Feature Bypass in GRUB. This revision pertains to the Linux sub-system boot loader in Windows. For extra data discuss with KB5012170 and the very informative weblog put up, “There is a gap within the boot.”

Mitigations and workarounds

CVE-2022-34715: Windows Network File System Remote Code Execution Vulnerability. Microsoft has provided a set of PowerShell mitigation instructions to cut back the severity of an assault by disabling NFSV4.1 :”PS C:Set-NfsServerConfiguration -EnableNFSV4 $false.” Running this command would require a reboot of the goal system. Microsoft recommends patching these techniques as quickly as potential, even with NFSV4.1 disabled.
CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability. Microsoft advises that this vulnerability is relevant if you’re, the truth is, truly working Active Directory Certificate Services. If you’re, you should deploy the Microsoft May 10 replace instantly and allow Audit occasions. Take your time planning and deploying this patch as it could put your server right into a particular compatibility mode. You can learn extra right here KB5014754. You have till May 9, 2023 earlier than Microsoft closes this loophole.

Probably crucial workaround this month pertains to Microsoft Outlook crashing and locking up instantly after start-up. Microsoft explains, “When you begin Outlook Desktop, it will get previous loading profile and processing, briefly opens, after which stops responding,” Microsoft is at the moment engaged on the difficulty and we anticipate an replace quickly. Microsoft provided the next workarounds:

Sign out and in Office.

Disable assist diagnostics in Outlook with the next registry keys: softwarepoliciesmicrosoftoffice16.0outlookoptionsgeneraldisablesupportdiagnostics, Disabled worth =0

Manually set the e-mail deal with to the identification of the consumer that’s seeing the difficulty within the registry path.

You can discover out extra about Microsoft Diagnostic settings right here. This is somewhat embarrassing for Microsoft as that is one other important Office subject following the current Uber receipt crashing subject.

Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:

Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange;
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
And Adobe (retired???, possibly subsequent yr).

Browsers

Microsoft launched three updates to its Edge browser (CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796). Following a development, none of those are rated as vital. There had been additionally 17 updates to the Chromium mission. Google has printed all these adjustments in its replace log. For additional data, discuss with the Chromium safety replace web page. Along with these safety fixes, there have been a number of new options within the newest steady launch (103) which could be discovered right here. Add these low-profile updates to your customary patch launch schedule.

Windows

Microsoft addressed 13 vital points and 43 points rated essential this month. This is pretty broad replace that covers the next key Windows options:

Windows Point-to-Point Tunneling Protocol together with RAS;
Kernel Updates (Win32K.SYS);
Windows Secure Socket Tunneling Protocol (SSTP);
Windows Print Spooler Components.

In addition to this huge replace, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability) has been reported as each publicly disclosed and exploited within the wild, making this a critical Windows zero-day. This critical Windows safety flaw is a path traversal flaw that attackers can exploit to repeat an executable to the Windows Startup folder when a consumer opens a specially-crafted file by way of an electronic mail shopper or downloaded from the online. In lighter information, you’ll find the most recent Windows 11 replace video right here. Add these vital Windows updates to your “Patch Now” launch schedule.

Microsoft Office

Microsoft launched an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (each 32- and 64-bit) regarding VBA tasks and Microsoft Access. This month’s launch cycle delivers solely 4 updates, all rated essential. Microsoft Excel, Outlook and some core Microsoft Office libraries are affected, with essentially the most critical resulting in distant code execution situations. Fortunately, all of those safety points have official fixes from Microsoft and are all comparatively tough to take advantage of, notably in a well-managed enterprise surroundings. Add these low-profile updates to your customary launch schedule.

Microsoft Exchange Server

Unfortunately we’ve got six updates for Microsoft Exchange Server, with three rated vital and the remaining three rated essential. As promised in May, Microsoft has up to date its patching course of to incorporate self-extracting EXE’s. You won’t discover these newest updates within the Microsoft catalog, so I’ve included a listing of updates out there for the next particular builds of Exchange Server:

Exchange Server 2013 CU23
Exchange Server 2016 CU22 and CU23
Exchange Server 2019 CU11 and CU12

Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which permits an attacker to learn focused electronic mail messages, Microsoft has really useful you apply these safety associated fixes instantly (italics added by Microsoft). To get the most recent updates, you may additionally need to run the Exchange SetupAssist PowerShell script.

Your group might already be comfy with the brand new replace format, however if you’re doubtful concerning the standing of your Exchange servers, you’ll be able to run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me some time simply to stroll by way of the patching choice/logic timber this month, by no means thoughts troubleshooting failed Exchange updates. Add this month’s updates to your “Patch Now” schedule, noting that every one updates this month would require a server reboot.

Microsoft improvement platforms

Microsoft launched 5 updates rated as essential for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is actually robust to take advantage of and relies upon upon efficiently executing a technically difficult blind “exterior entity” injection (XXE) assault. The remaining Visual Studio vulnerabilities relate to distant code execution (RCE) situations exploited by way of an area electronic mail shopper (requiring the consumer to open a specifically crafted file). Add these updates to your customary developer replace schedule.

Adobe (actually simply Reader)

Who would have thought it? We are again this August with three updates rated vital and 4 as essential for Adobe Reader. APSB22-39 has been printed by Adobe however not included by Microsoft on this month’s patch cycle. All seven reported vulnerabilities relate to reminiscence leak points and will result in a distant code execution state of affairs (RCE), requiring rapid consideration. Add these Adobe updates to your “Patch Now” schedule.