With a lightweight July Patch Tuesday, it's time to put money into your IT processes

With a lightweight July Patch Tuesday, it is time to put money into your IT processes
Though this month’s Patch Tuesday replace from Microsoft offers with greater than 86 reported vulnerabilities, the testing and deployment profile for July ought to be simple to deal with. Use your time properly.

Traitov / Getty Images

Though we get a reprieve from Exchange updates on this month’s Patch Tuesday replace, extra printer updates are on the best way. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is again with 15 essential updates for Adobe Reader. And Microsoft’s new patch deployment software Auto-Patch is now reside. (I all the time thought utility testing was the principle downside right here, however truly getting patches deployed continues to be powerful.)

Though the numbers are nonetheless fairly excessive (with 86+ reported vulnerabilities), the testing and deployment profile for July ought to be pretty average. We counsel taking the time to harden your Exchange Server defenses and mitigation processes, and put money into your testing processes.

You can discover extra info on the chance of deploying these Patch Tuesday updates in our useful infographic .

Key Testing Scenarios

Given the big variety of modifications on this July patch cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:

High Risk: These modifications are prone to embrace performance modifications, might deprecate current performance, and can probably require creating new testing plans.

Core printing performance has been up to date:

• Install and take a look at any new V4 print drivers on a neighborhood machine and print.
• Test new V4 printer connections utilizing consumer and server and print.
• Test current v4 printer connections
• Ensure GDI rendering and printer drivers generate the anticipated output

The core modifications relate to how Microsoft helps timestamp checking for kernel drivers, so testing purposes that require digitally signed binaries is vital for this cycle. The large change right here is that unsigned drivers shouldn’t load. This might trigger some utility points or compatibility issues. We suggest a scan of the appliance portfolio, figuring out all purposes that rely upon drivers (each signed and unsigned), and producing a take a look at plan that features set up, utility exercising, and uninstall. Having a comparability between pre- and post- patched machines can be useful, too.

The following modifications will not be documented as together with useful modifications, however will nonetheless require not less than “smoke testing” earlier than basic deployment:

• Test eventualities that make the most of Windows DevicePicker. Almost not possible to check — as most purposes use this widespread class. If your internally-developed purposes cross their fundamental smoke take a look at, you are superb.
• Test your line of enterprise purposes that reference the Microsoft cell CDP APIs. If you’ve got internally developed desktop purposes that talk with cell gadgets, a communications test could also be required.
• Test connections to the rasl2tp server. This means discovering and testing purposes which have a dependency on the RAS miniport driver over distant or VPN connections

And Curl. Specifically, CURL.EXE: — a command line software for sending recordsdata by way of HTTP protocols (therefore “consumer URL”) — has been up to date this month. Curl for Windows (the one that’s being up to date this month) is totally different from the Open Source venture curl. If you’re confused why the Curl venture workforce gives this, this is the reply:

“The curl software shipped with Windows is constructed by and dealt with by Microsoft. It is a separate construct that may have totally different options and capabilities enabled and disabled in comparison with the Windows builds provided by the curl venture. They do nonetheless construct curl from the identical supply code. If you’ve got issues with their curl model, report that to them. You can most likely assume that the curl packages from Microsoft will all the time lag behind the variations supplied by the curl venture itself.”

With that stated, we suggest groups that use the curl command (sourced from the Windows supported department) give their scripts a fast take a look at run. Microsoft has revealed a testing situation matrix that this month consists of:

• Use bodily machines and digital machines.
• Use BIOS-based machines and UEFI-enabled machines.
• Use x86, ARM, ARM64, and AMD64 machines.

Note: for every of those testing eventualities, a handbook shut-down, reboot and restart is usually recommended.

Known Issues

Each month, Microsoft features a record of recognized points that relate to the working system and platforms included on this replace cycle. For July, there are some advanced modifications to think about:

• Devices with Windows installations created from customized offline media or customized ISO picture may need Microsoft Edge Legacy eliminated by this replace, however not routinely changed by the brand new Microsoft Edge.
• After putting in the June 21, 2021 (KB5003690) replace, some gadgets can not set up new updates, such because the July 6, 2021 (KB5004945) or later updates. You will obtain the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For extra info and a workaround, see KB5005322.
• After putting in this replace, IE mode tabs in Microsoft Edge would possibly cease responding when a web site shows a modal dialog field. This difficulty is resolved utilizing Known Issue Rollback (KIR) with the next group coverage downloads: Download for Windows 10, model 20H2 and Windows 10, model 21H1 .
• After putting in KB4493509, gadgets with some Asian language packs put in might obtain the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

Major Revisions

This month, Microsoft has not formally revealed any main revisions or updates to earlier patches. There was a form of “sneaky” replace from the .NET group that actually ought to have been included within the formal Microsoft documentation replace course of. However, that replace was merely documented help for later variations of Visual Studio.

Mitigations and Workarounds

Microsoft revealed one key mitigation for a Windows community vulnerability:

• CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability. Noting that there are not any publicly reported exploits for this community vulnerability, Microsoft nonetheless acknowledges that some directors might select to disable NFSV3 earlier than their server programs are absolutely patched. To disable this community function, use the PowerShell command. ” Set-NfsServerConfiguration -EnableNFSV3 $false.” There is not any must disable V4 (versus V3) because the later variations of this protocol will not be affected by this safety vulnerability.

Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (each desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, perhaps subsequent yr).

Browsers

It simply retains getting higher. The downward development for Microsoft’s browser reported vulnerability continues to trace ever decrease with simply two (CVE-2022-2294 and CVE-2022-2295) Chromium updates for this July. Both updates solely have an effect on Edge (Chromium) and had been launched final week. Chrome ought to routinely replace, with our preliminary evaluation exhibiting that each updates may have marginal impression on browser compatibility. You can examine this replace on the Google Blog, with the technical particulars discovered on Git. Add these low-profile, low-risk updates to your commonplace browser launch schedule.

Windows

With simply 4 essential updates and 16 rated necessary this month, Microsoft is basically giving IT admins a little bit of a break. The 4 essential Windows replace for this launch cycle embrace:

• CVE-2022-30221: This Windows vulnerability within the core graphics sub-system (GDI) may result in a distant code execution (RCE) situation.
• CVE-2022-22029 and CVE-2022-22039: These Windows Network file system points may lead to RCE eventualities on the compromised system.
• CVE-2022-22038: This low-level (Win32) RPC element, reported as troublesome to take advantage of, may result in very troublesome troubleshooting eventualities.

All of those essential updates have been formally confirmed as mounted, with no reviews of public exploits on Windows desktop programs. The remaining 14 updates are rated necessary by Microsoft and have an effect on the next Windows programs and parts:

• Print driver, Print Spooler and FAX parts;
• Hyper-V;
• Windows Kernel and Boot Manager;
• Windows Network File system, storage and the Fast FAT driver.

Unfortunately, Windows Server 2012 didn’t fare so effectively, with reviews of CVE-2022-22047 exploited within the wild. This Windows server vulnerability impacts the Client Server Run-Time subsystem (CRSS) which is the place all of the badly behaving consumer mode drivers hang around. If you’ve got any Windows Server 2012 below your care, this can be a “Patch Now” replace. Otherwise, add this very low-profile Windows replace to your commonplace launch schedule. And remember, Microsoft has delivered one other Windows 11 replace video; it is discovered right here .

Microsoft Office

Microsoft launched solely two (CVE-2022-33632 and CVE-2022-33633) updates to Microsoft Office this month. Both updates are rated necessary by Microsoft, and each require native, authenticated privileges to the goal system. Add these updates to your commonplace Office replace schedule.

Microsoft Exchange Server

It’s good that we get a break from Microsoft Exchange Server updates. Rather than merely resting, it might be value investing in your Exchange safety infrastructure. Microsoft has supplied some main enhancements on Exchange through the previous yr; listed here are just a few concepts on securing your Exchange Server:

• Microsoft Safety Scanner: This command line software is downloaded from Microsoft (should be refreshed each 10 days) and removes malware out of your goal system. It’s not a alternative for third-party instruments, but when there’s a concern a few machine, this can be a good first step.
• Exchange On-premises Mitigation Tool (EOMT): If you’re unable to shortly patch particular Exchange Servers, Microsoft gives a command line to mitigate in opposition to recognized assaults. This PowerShell script will each try and remediate in addition to mitigate your servers in opposition to additional assaults — noting that when finished, making use of patches is the highest precedence.
• Exchange Emergency Mitigation Service (EM): The Exchange Emergency Mitigation service (EM service) retains your Exchange Servers safe by making use of mitigations/updates/fixes to deal with any potential threats in opposition to your servers. It makes use of the cloud-based Office Config Service (OCS) to test for and obtain accessible mitigations and can ship diagnostic knowledge again to Microsoft.

All of those options and choices are predicated on utilizing not less than Office 2019 — one more reason Microsoft has strongly beneficial everybody transfer to Exchange Server 2019 not less than. The EM Service was final utilized in March 2021 to take care of a number of Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858). These had been particular assaults on on-premise servers. It’s useful to know this service is there, however I’m glad it has not been required just lately.

Microsoft Development Platforms

As with Microsoft Exchange, Microsoft has not revealed any “new” safety updates to the Microsoft .NET platform or instruments this month. However, there was an issue with June’s .NET replace, which was addressed this month. This month’s .NET launch resolves the difficulty that some variations of .NET weren’t addressed by the earlier patch — that is simply an informational replace. If you’re utilizing Microsoft Windows replace infrastructure, no additional motion is required.

Adobe (actually simply Reader)

This is a giant replace from Adobe, with 15 updates rated as essential and 7 rated necessary, all only for Adobe Reader. The essential updates primarily relate to reminiscence points and will result in the train of arbitrary code on the unpatched system. You can learn extra concerning the Adobe bulletin (APSB22-32) and Adobe safety bulletins right here. Add this utility particular replace to your “Patch Now” launch.

www.computerworld.com