Microsoft released a highly targeted but still important update on Tuesday that fixes 68 reported vulnerabilities (some publicly reported). Unfortunately, this month brings a new record: six zero-day flaws affecting Windows. As a result, we’ve added Windows and Exchange Server updates to our “Patch Now” schedule. Microsoft has also released a “defense in depth” advisory (ADV220003) to help secure Office deployments. And there are a small number of Visual Studio, Word, and Excel updates to add to your standard patch release schedule.
You can find more information about the risks of rolling out these Patch Tuesday updates in our infographic.
Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that update cycle. There are two major issues reported with Windows 11, both related to deploying and updating Windows 22H2 machines:
- Users updating to Windows 22H2 and the update or out-of-the-box experience may not complete successfully. Provisioning packages applied during initial setup are most likely to be affected. For more information, see Provisioning packages for Windows.
- Network transfers of large files (several gigabytes) may take longer than expected to complete on the latest version of Windows 11. You are more likely to encounter this problem when copying files to Windows 11 22H2 from a share network via Server Message Block (SMB), but the local copy of files may also be affected.
In addition to these issues, Microsoft SharePoint Server experienced two issues with the November and September updates:
- Web service methods of web part pages may be affected by the September 2022 security update. For more information, see KB5017733.
- Certain SharePoint 2010 workflow scenarios may be blocked. For more information, see KB5017760.
Technically speaking, Microsoft released eight revisions this month, all for the Chromium Edge browser. In practice, these “revisions” were standard Microsoft Edge browser updates and were included in our Browser section. No further revisions to previous patches or updates were released this month.
Mitigation and Workarounds
Only one workaround has been released for November Patch Tuesday:
- CVE-2022-37976: Active Directory Certificate Services elevation of privilege vulnerability. A system is vulnerable only if the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on a server in the network. Definition of LegacyAuthenticationLevel – Win32 Applications | Microsoft Docs to 5=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY can protect most machine processes from this attack. For more information, see the next section on configuring system-wide security using DCOMCNFG.
No other mitigations or workarounds for Microsoft platforms have been released.
Each month, the Readiness Team scans for patches applied to Windows, Microsoft Office, and related technology/development platforms. We review each update, individual changes, and potential impact on enterprise environments. These test cases provide structured guidance on how best to deploy Windows updates in your environment.
High risk: This month, Microsoft reported no high-risk feature changes, which means it did not update or make any major changes to core APIs, features, or any of the core components or applications included in the Windows desktop and server ecosystems.
More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:
- Hyper-V Update: A simple startup and shutdown test of isolated VMs and containers will suffice for this minor update.
- Microsoft PPTP VPN: Practice your typical VPN scenarios (connect/disconnect/restart) and try to simulate an outage. Contrary to previous recommendations, no prolonged trial is required.
- Microsoft Photo App: Make sure your RAW image extensions work as expected.
- Microsoft ReFS and ExFat: A typical CRUD test (Create/Rename/Update/Delete) will suffice this month.
There were several updates to how Group Policies are implemented on Windows platforms this month. We suggest spending some time making sure the following features are working:
- Creation/deployment and deletion of GPO policy.
- Editing GPO policies, with a validation check to see if these updated policies have been applied OU-wide.
- Make sure all symlinks work as expected (redirects to user data).
And, with all the testing regimes required when modifying Microsoft GPOs, remember to use the “gpupdate /force” command to ensure that all changes have been committed to the target system.
Who uses the Windows Overlay Filter feature?
System engineers, who are they? If you had to create client machines for large automated enterprise deployments, you may need to use the Windows Overlay Filter (WoF) driver for WIM boot files. WoF allows significantly better compression rates of installer files and was introduced in Windows 8. If you’re in the midst of a major client-side deployment effort this month, make sure your WIM files are still accessible after the November update. If you’re looking for more information on this key Windows deployment feature, check out this WoF data compression blog post.
Unless otherwise stated, we must assume that each Patch Tuesday update will require testing of basic printing functions, including:
- printing from directly connected printers;
- large print jobs from servers (especially if they are also domain controllers);
- remote printing (using RDP and VPN).
Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
Including last week’s mid-cycle update for Microsoft Edge (Chromium), there are 10 Chromium kernel updates and eight fixes for Edge, for a total of 18 changes. For the 10 Chrome updates, you can refer to the Chrome Security page for more details. You can find links to all Microsoft updates here: CVE-2022-3652, CVE-2022-3653, CVE-2022-3654, CVE-2022-3655, CVE-2022-3656, CVE-2022-3657, CVE-2022-3660, CVE-2022-3661. The 18 updates are unobtrusive, low-impact browser stack updates and can be added to your standard desktop update schedule.
There’s good news and bad news this month for Windows. The bad news is that we have six days zero Windows with both publicly reported vulnerabilities and exploits reported in the wild. The good news is that only one of the vulnerabilities (which is incredible) is rated critical by Microsoft. This month’s update covers the following Windows features:
- Windows Script (the Windows scripting host or object);
- Networking (specifically how HTTPS is handled);
- Windows Printing (the print spooler, again);
- ODBC (the least of our worries this month).
We are seeing reports of problems this month with Kerberos. In response, Microsoft provided two Knowledge Base articles on how to handle the November changes:
Given the nature of these reported zero-days and given the relatively narrow profile of change this month, we recommend an immediate update for all Windows systems. Add these Windows Updates to your “Patch Now” program — and this time we really mean it.
Microsoft has released eight Office platform updates, affecting Word, Excel and SharePoint servers. There were no critical updates this month (no vulnerabilities in the preview pane), with each patch deemed important by Microsoft. Additionally, Microsoft has released a “Defense in Depth” advisory (ADV220003) for Office. These Microsoft advisories cover the following enhanced protection features:
These features merit further investigation; you can read more about these and other preventative security measures here. Add these low-impact Microsoft Office updates to your standard release schedule.
Microsoft Exchange server
Unfortunately, we have Microsoft Exchange Server updates on the list again this month. Microsoft released four updates; one (CVE-2022-41080) was classified as critical and the other three as important. The Critical Elevation of Privilege Vulnerability in Exchange has a rating of CVSS 8.8 and while we don’t see any reported exploits, it is a serious, low-complexity network access issue. Exchange admins need to fix their servers this weekend. Add this to your “Patch Now” release schedule.
Microsoft development platforms
Microsoft has released four updates, all deemed significant, for its Visual Studio platform. Visual Studio and Sysmon tools are quiet, non-emergency updates to quiet Microsoft developer tools. Add them to your regular developer patch schedule.
Adobe (actually just Reader)
No Adobe update for November. Given the number of patches released in the last month, that’s no surprise. We could see another big update from Adobe in December, given its normal update/release cadence.
Copyright © 2022 IDG Communications, Inc.