Patch Tuesday replace addresses 123 vulnerabilities, two vital zero-days

Patch Tuesday replace addresses 123 vulnerabilities, two vital zero-days



Patch Tuesday replace addresses 123 vulnerabilities, two vital zero-days
This month’s Patch Tuesday offers with quite a lot of safety points in Microsoft Windows, Office, Exchange, and Visual Studio. It’s a broad replace throughout Microsoft merchandise that may require planning and testing earlier than normal deployment.

Traitov / Getty Images

Microsoft’s August Patch Tuesday launch addresses 123 safety points in Microsoft Windows, Office, Exchange (it is again!) and Visual Studio — and sadly, we’ve got two zero-days with stories of energetic exploitation within the wild. Since that is a broad replace, it is going to require planning and testing earlier than deployment.

The first (CVE-2022-34713) happens within the Windows diagnostic instruments and the second (CVE-2022-30134) impacts Microsoft Exchange. Basically, the vacations are over and it is time to concentrate to Microsoft updates once more. We have made “Patch Now” suggestions for Windows, Exchange and Adobe for this month.

You can discover extra data on the chance of deploying these Patch Tuesday updates on this infographic.

Key testing situations

Given the big variety of adjustments included on this August patch cycle, I’ve damaged down the testing situations into excessive danger and customary danger teams:

High Risk: These are prone to embody performance adjustments, might deprecate present performance and can doubtless require creating new testing plans:

The following updates are usually not documented as purposeful adjustments, however nonetheless require a full take a look at cycle:

Given the adjustments to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it could be value taking a look at some Microsoft testing platforms such because the Microsoft Test Authoring and Execution Framework (TAEF). You must know C++ or C# and you’ll need the Windows Driver package (WDK). Noting that for every of those testing situations, a handbook shut-down, reboot and restart is usually recommended, with a give attention to Boot Manager entries within the occasion viewer logs.

Known points

Each month, Microsoft features a checklist of identified points that relate to the working system and platforms which can be included on this replace cycle. This month, there are some actually complicated adjustments:

And for the most recent launch of Windows 11, it seems to be as if this month’s replace might result in the utility XPS Viewer behaving badly (utilizing growing processor and reminiscence assets) earlier than closing unexpectedly (i.e. badly). A reboot will remedy the difficulty till Microsoft posts a repair.

Major revisions

Though we’ve got fewer “new” patches launched this month, there are loads of up to date and newly launched patches from earlier months:

Mitigations and workarounds

Probably crucial workaround this month pertains to Microsoft Outlook crashing and locking up instantly after start-up. Microsoft explains, “When you begin Outlook Desktop, it will get previous loading profile and processing, briefly opens, after which stops responding,” Microsoft is at the moment engaged on the difficulty and we anticipate an replace quickly. Microsoft provided the next workarounds:

  • Sign out and in Office.
  • Disable assist diagnostics in Outlook with the next registry keys: softwarepoliciesmicrosoftoffice16.0outlookoptionsgeneraldisablesupportdiagnostics, Disabled worth =0
  • Manually set the e-mail deal with to the identification of the consumer that’s seeing the difficulty within the registry path.
  • You can discover out extra about Microsoft Diagnostic settings right here. This is somewhat embarrassing for Microsoft as that is one other important Office subject following the current Uber receipt crashing subject.

    Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:

    Browsers

    Microsoft launched three updates to its Edge browser (CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796). Following a development, none of those are rated as vital. There had been additionally 17 updates to the Chromium mission. Google has printed all these adjustments in its replace log. For additional data, discuss with the Chromium safety replace web page. Along with these safety fixes, there have been a number of new options within the newest steady launch (103) which could be discovered right here. Add these low-profile updates to your customary patch launch schedule.

    Windows

    Microsoft addressed 13 vital points and 43 points rated essential this month. This is pretty broad replace that covers the next key Windows options:

    In addition to this huge replace, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability) has been reported as each publicly disclosed and exploited within the wild, making this a critical Windows zero-day. This critical Windows safety flaw is a path traversal flaw that attackers can exploit to repeat an executable to the Windows Startup folder when a consumer opens a specially-crafted file by way of an electronic mail shopper or downloaded from the online. In lighter information, you’ll find the most recent Windows 11 replace video right here. Add these vital Windows updates to your “Patch Now” launch schedule.

    Microsoft Office

    Microsoft launched an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (each 32- and 64-bit) regarding VBA tasks and Microsoft Access. This month’s launch cycle delivers solely 4 updates, all rated essential. Microsoft Excel, Outlook and some core Microsoft Office libraries are affected, with essentially the most critical resulting in distant code execution situations. Fortunately, all of those safety points have official fixes from Microsoft and are all comparatively tough to take advantage of, notably in a well-managed enterprise surroundings. Add these low-profile updates to your customary launch schedule.

    Microsoft Exchange Server

    Unfortunately we’ve got six updates for Microsoft Exchange Server, with three rated vital and the remaining three rated essential. As promised in May, Microsoft has up to date its patching course of to incorporate self-extracting EXE’s. You won’t discover these newest updates within the Microsoft catalog, so I’ve included a listing of updates out there for the next particular builds of Exchange Server:

    Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which permits an attacker to learn focused electronic mail messages, Microsoft has really useful you apply these safety associated fixes instantly (italics added by Microsoft). To get the most recent updates, you may additionally need to run the Exchange SetupAssist PowerShell script. 

    Your group might already be comfy with the brand new replace format, however if you’re doubtful concerning the standing of your Exchange servers, you’ll be able to run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me some time simply to stroll by way of the patching choice/logic timber this month, by no means thoughts troubleshooting failed Exchange updates. Add this month’s updates to your “Patch Now” schedule, noting that every one updates this month would require a server reboot.

    Microsoft improvement platforms

    Microsoft launched 5 updates rated as essential for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is actually robust to take advantage of and relies upon upon efficiently executing a technically difficult blind “exterior entity” injection (XXE) assault. The remaining Visual Studio vulnerabilities relate to distant code execution (RCE) situations exploited by way of an area electronic mail shopper (requiring the consumer to open a specifically crafted file). Add these updates to your customary developer replace schedule.

    Adobe (actually simply Reader)

    Who would have thought it? We are again this August with three updates rated vital and 4 as essential for Adobe Reader. APSB22-39 has been printed by Adobe however not included by Microsoft on this month’s patch cycle. All seven reported vulnerabilities relate to reminiscence leak points and will result in a distant code execution state of affairs (RCE), requiring rapid consideration. Add these Adobe updates to your “Patch Now” schedule.

    Exit mobile version