Take your time testing these February Patch Tuesday updates
With this month’s very gentle Patch Tuesday launch from Microsoft, safety and methods directors ought to take time to check their apps and desktop/server builds.
Microsoft / IDG
There are (as of now) 51 patches to the Windows ecosystem for February, however no essential updates and no “Patch Now” suggestions from the Readiness staff. I’m hoping that with this month’s listing of Patch Tuesday updates, we will benefit from the quiet after the storm. January was robust for lots of parents. And, with this month’s very gentle launch from Microsoft, company safety and methods directors can take the time wanted to check their purposes and desktop/server builds. It’s additionally necessary to spend money on their testing methodologies, launch practices, and the way their purposes could also be affected by OS-level updates and patches.
You can discover extra data on the chance of deploying these Patch Tuesday updates utilizing our detailed infographic.
Key testing situations
There aren’t any reported high-risk modifications to Windows this month. However, there’s one reported useful change, and a further characteristic added:
- Printing: Perform all primary print operations with a number of kinds of printers. Perform print operations with varied third-party apps. Most importantly, take a look at your print spooler companies on any shared service servers (e.g., Domain Controllers).
- VPN: Validate VPN connectivity utilizing current/new VPN connections (Create/Connect/Remove).
- Kernel Updates: Any purposes that depend on DirectComposition ought to work as meant.
- CFS Logs Test out Create/Read/Update/Extend/Trim.
When testing your printing companies, guarantee that you’re validating your spooler and SHD (shadow information). Testing these service artifacts is particularly necessary should you make use of symbolic or onerous hyperlinks to entry these jobs.
Known points
Each month, Microsoft features a listing of identified points that relate to the working system and platforms included on this replace cycle. There is greater than normal, so I’ve referenced just a few key points that relate to the newest builds from Microsoft together with:
- Devices with Windows installations created from customized offline media or customized ISO picture might need Microsoft Edge Legacy eliminated by this replace, however not routinely changed by the brand new Microsoft Edge. To keep away from this concern, you should definitely first slipstream the SSU launched March 29, 2021 or later into the customized offline media or ISO picture earlier than slipstreaming the LCU.
- After putting in KB4493509, units with some Asian language packs put in could obtain the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” To resolve this concern, Microsoft recommends that you simply “uninstall and reinstall any just lately added language packs.” For directions, see Manage the enter and show language settings in Windows 10.
- After putting in this replace, when connecting to units in an untrusted area utilizing Remote Desktop, connections would possibly fail to authenticate when utilizing good card authentication. You would possibly obtain the immediate “Your credentials didn’t work. The credentials that have been used to connect with [device name] didn’t work. Microsoft has revealed a Known Issue Roll-back for this downside. For additional directions, see How to make use of Group Policy to deploy a Known Issue Rollback.
After putting in updates launched Jan. 11 or later, purposes that use the Microsoft .NET Framework to accumulate or set Active Directory Forest Trust Information might need points. The apps would possibly fail or shut, otherwise you would possibly obtain an error from the app or Windows. You may also obtain an entry violation (0xc0000005) error. To resolve this concern manually, apply the out-of-band updates for the model of the .NET Framework utilized by the app. We advocate that you simply scan your inner line of enterprise purposes for any dependencies on System.DirectoryProviders API.
Major revisions
Though there’s a a lot smaller listing of patches this month, Microsoft launched a number of revisions to earlier patches, together with:
- CVE-2019-0887: This is an outdated patch that has been reported as publicly exploited. As a outcome, Microsoft has added the Remote Desktop consumer to the affected platforms listing. To guarantee compliance, be sure to have model 1.2.2691 of the distant desktop consumer put in.
- CVE-2021-34500: This is an uncommon revision, as Microsoft has expanded the listing of affected methods to incorporate earlier variations of Windows 10, Windows 7, and Server 2012. It often works the opposite manner. If you might be utilizing outdated(er) variations of Windows, it’s possible you’ll must reference the Microsoft Knowledge base article KB4497181 to make sure that you’ve got the suitable ESU MAK add-on key. This key can be required to acquire this newest patch for these legacy methods.
- CVE-2022-21871: This patch revision solely impacts customers of Visual Studio 2019 16.7 and 16.9. It’s purely informational; no motion is required.
- CVE-2022-23254: This is an data change to this patch’s title. No additional motion vital.
Mitigations and workarounds
This month Microsoft has revealed two mitigating elements, together with:
- CVE-2022-21984: Microsoft has revealed a really transient mitigating issue for this DNS associated safety concern, noting that, “to be weak your DNS server must have dynamic updates enabled”. I hope that this helps.
- CVE-2022-21907: Microsoft has suggested that this HTTP stack stage zero-day concern doesn’t apply to Server 2019 until you’ve got enabled the next registry setting: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters. This mitigation solely applies to Windows Server 2019 and Windows 10, model 1809 and doesn’t apply to Windows 10, model 20H2 and newer. So, in case you are on later desktop and server platforms, you’ll want to apply this patch as quickly as attainable.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (each desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, perhaps subsequent 12 months).
Browsers
There are a complete of twenty-two (+1) updates to the Microsoft Edge (Chromium) browser this month. None are essential, with one patch rated reasonable and the remaining rated necessary. Unusually, there was a further replace for Microsoft Edge posted yesterday (CVE-2022-23246) that was included as a part of an up to date launch be aware for Microsoft Edge safety replace discovered right here. Add these Chrome (Edge and Chromium) updates to your common replace launch schedule.
Windows
We have been hoping for a quieter replace this month and Microsoft actually delivered — with no essential updates for Windows or Microsoft Office. Given that January’s launch was giant and complicated, a number of issues have been encountered, together with:
- VPN connectivity points;
- Domain Controller (DC) restarting experiences;
- VM begin failure(s);
- Reported ReFS points.
To treatment these and different reported (minor) points, a uncommon Out-of-Band (OOB) replace was launched on Jan 17. Microsoft has posted 26 patches this month, masking Hyper-V, printing, error/logging sub-systems, networking, and video codecs. Given the testing necessities for all these modifications to the core working system, we propose a staged method and including these Windows updates to your customary replace launch schedule.
Microsoft Office
This month’s patches for Microsoft Office will set up on the next baselines:
- Office 2010, 2103, 2016 (consumer and server);
- SharePoint 2013 and 2106 (server).
Though Microsoft has revealed 11 updates (all rated necessary) for this launch, solely eight apply to Windows methods. Microsoft has shared some primary testing tips for the updates, together with:
- Verify Excel file/open situations for untrusted XLS information;
- Focus on testing legacy content material: ActiveX Controls, Pictures, Shapes, SmartArt, Charts, WordArt;
- SharePoint (on-premises): take a look at creating a brand new Media web-part.
Microsoft additionally revealed a serious identified concern with this month’s Office replace, saying: “The Machine Translation service fails if the content material comprises sure HTML tags.” To work round this concern, see Publishing pages can’t be translated in SharePoint Server 2019 (KB5011291). All the native workplace installations (excluding click-to-run virtualized cases) require person interactions and don’t considerably degrade the system if affected. These patches signify a low threat and have been documented to have an effect on core performance (probably affecting dependent line-of-business purposes). Add these updates to your customary Office replace schedule.
Microsoft Exchange Server
Following the pattern of a really gentle patch cycle, Microsoft has not launched any updates for the Exchange Server platform.
Microsoft growth platforms
Things are undoubtedly gentle on the bottom this month, however we do have just a few very minor updates for Microsoft growth instruments, together with two patches to Visual Studio (CVE-2022-21986 and CVE-2022-21991) Both of those minor updates are rated necessary by Microsoft and must be (virtually casually) added to your customary growth patch schedule.
Adobe (actually simply Reader)
Adobe launched a number of safety updates this month, however fortunately nothing for Adobe Reader. You can discover Adobe’s February launch notes right here; it pertains to Adobe Premier, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Let’s see what Adobe has in retailer for us in March.
