Zero-day flaws mean it’s time to fix Exchange and Windows

0

Microsoft’s Patch Tuesday update this month addresses 84 flaws and a zero-day affecting Microsoft Exchange that, at this time, remains unresolved. Windows Updates focus on Microsoft’s security and networking components with hard-to-test update for COM and OLE database. And Microsoft browsers are getting 18 updates, nothing critical or urgent.

That leaves the focus this month on Microsoft Exchange and rolling out mitigation efforts, rather than server updates, for next week. More information on the risks of deploying these Patch Tuesday updates can be found in this infographic.

Microsoft continues to improve both its vulnerability reporting and notifications with a new RSS feed, and Adobe followed suit by improving reporting and release documentation. As a gentle reminder, Windows 10 21H1 support ends in December.

Main test scenarios

Given the large number of changes included this month, I’ve broken down the test cases into high-risk and standard-risk groups:

High risk: For October, Microsoft has not recorded any high-risk feature changes. This means that it has not made any major changes to the core APIs or functionality of any of the core components or applications included in the Windows Desktop and Server ecosystems.

More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:

  • A GDI update (GDIPLUS.DLL) requires testing of EMC16 and 32 bit palette files (opening, printing and creating).
  • Microsoft desktop app manager has been updated and will require both provisioning and deprovisioning applications (installation and uninstallation tests are required).
  • The Windows CLFS system has been updated to require a short test of creating, reading, updating, and deleting log files.

In addition to these changes and testing requirements, I’ve included some of the tougher test scenarios:

  • OLE DB: the venerable Microsoft OLEDB has been updated and requires all applications dependent on SQL Server 2012 or ADO.NET must be fully tested before deployment. This Microsoft COM (OLE DB) component separates data from application logic through a set of connections that access data source, sessions, SQL commands, and rowset data.
  • Roaming credentials, encryption keys, and certificates: For more information on roaming credentials, see by Jim Tierney assignment and this excellent introduction to Credential roaming.
  • Encrypted VPN connections: Microsoft has updated the IKEv2 and L2TP/IPsec components this month. Tests with remote connections should last more than eight hours. If you are having trouble with this update, Microsoft has released a L2TP/IPSec VPN Troubleshooting Guide.

Unless otherwise stated, we should now assume that each Patch Tuesday update will require testing basic printing functions, including:

  • printing from directly connected printers;
  • large print jobs from servers (especially if they are also domain controllers);
  • remote printing (using RDP and VPN).

Known issues

Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that update cycle.

  • Devices with Windows installations created from custom offline media or a custom ISO image may have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. Fixing this issue will require a full/fresh install of Microsoft Edge.
  • Microsoft SharePoint: This update may affect some SharePoint 2010 workflow scenarios. It also generates “6ksbk” event tags in SharePoint Unified Logging System (ULS) logs.

A reported issue with the latest Microsoft Servicing Stack update (USS) KB5018410 is it Group Policy Preferences can fail. Microsoft is working on a solution; in the meantime, the company has released the following mitigations:

  1. Uncheck “Run in the logged on user’s security context (user policy option)”. Note: this may not alleviate the problem of elements using a wildcard
  2. .
  3. In the affected Group Policy, replace “Action” with “Replace” with “Update”.

If a wildcard character

is used in the location or destination, removing the trailing “” (backslash, no quotes) from the destination may allow the copy to succeed. Major revisions

So far, Microsoft has not released any major revisions to its security advisories.

  • Mitigation and WorkaroundsThere are two mitigations and four workarounds for this October Patch Tuesday, including:CVE-2022-41803
  • : Elevating Visual Studio Code. Microsoft has released a quick workaround for this security vulnerability that says: “Ccreate a C:ProgramDatajupyterkernels folder and configure it to be writable only by the current user.”

CVE-2022-22041

: Windows print spooler elevation. The workaround advice released by Microsoft to handle this vulnerability is to stop the printer spooler service on the target machine using the following PowerShell commands, “Stop-Service -Name Spooler -Force, and Set-Service -Name Spooler -StartupType Disabled”. This will stop the local print spooler on the machine and all print services used by that system.

  • Microsoft also noted that for the following reported network vulnerabilities, these systems are not affected if IPv6 is disabled and can be mitigated with the following PowerShell command: “Get-Service Ikeext:”
  • Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:
  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (desktop and server);
  • Microsoft Office; Microsoft Exchange; Microsoft development platforms (
  • ASP.NET

Core, .NET Core and Chakra Core);

Adobe (retired???, maybe next year). BrowsersMicrosoft released 18 updates for Edge (Chromium). Only CVE-2022-41035 applies specifically to the browser, while the others relate to Chromium. You can findthis month’s release note

here

. These are quiet, non-critical fixes for Microsoft’s latest browser; they can be added to your standard posting schedule.

  • the Windows
  • Microsoft is providing fixes for 10 critical vulnerabilities and 57 important vulnerabilities that cover the following Windows platform feature groups:
  • Windows Networking (DNS, TLS, remote access and the TCP/IP stack);
  • Cryptography (IKE and Kerberos extensions);
  • Printing (again);

Microsoft COM and OLE DB;Remote Desktop (Connection Manager and API).A vulnerability linked to the COM+ object (

CVE-2022-41033 ) has been reported as exploited in the wild. This makes things difficult for patch and update deployment teams. Testing COM objects is generally difficult due to the business logic required and contained within the application. Also, figuring out which apps depend on this feature isn’t straightforward. This is especially the case for applications developed in-house or for the line of business due to business criticality. We recommend that you assess, isolate, and test key line-of-business applications that have COM and OLE dB dependencies before a general rollout of the October Update. Add this Windows Update to your “Patch Now” program. On the lighter side of things, Microsoft released anotherWindows 11 update

video

.Microsoft Office This month we are receiving two critical updates ( CVE-2022-41038and CVE-2022-38048 ) and four updates deemed important to the Microsoft Office platform. Unless you’re managing multiple SharePoint servers, this is a relatively low-key update, with no preview pane-based attack vectors and no reports of exploits in the wild. If you or your team have had issues with Microsoft Outlook

  1. to crash
  2. (sorry, “closing”) last month, Microsoft offered the following advice:
  3. Log out of the desktop; [HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookOptionsGeneral] Disable assistive diagnostics;
  4. Set the following registry key:

“DisableSupportDiagnostics”=dword:00000001;

Restart your system.

Given these changes and quiet updates, we suggest adding these Office patches to your standard release schedule.Microsoft Exchange Server We should have started with Microsoft Exchange updates this month. Critical pcode remote execution vulnerabilities ( CVE-2022-41082and CVE-2022-41040 ) in exchange have been reported as exploited in the wild and have

not been resolved with this security update. Patches are available and they are official from Microsoft. However, these two Microsoft Exchange Server updates do not completely fix the vulnerabilities. The

Microsoft Exchange Team Blog

explicitly makes this point in the middle of a release note: “The October 2022 SUs do not contain fixes for the zero-day vulnerabilities publicly reported on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations to these vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.” Microsoft released

mitigation tips for these serious Exchange security issues, covering:

We recommend that you implement URL and PowerShell mitigations for all of your Exchange servers. Watch this space, as we’ll see an update from Microsoft in the coming week.

Microsoft development platformsMicrosoft released four updates (all deemed significant) for Visual Studio and .NET. Although the four vulnerabilities ( CVE-2022-41032, CVE-2022-41032 , CVE-2022-41034andCVE-2022-41083) have standard entries in the Microsoft Security Updates Guide ( MSUG), the Visual Studio team also released these 17.3 Release Notes. (And, just like Windows 11, we even get a

video

.) These four updates are low-risk, unobtrusive updates to the development platform. Add them to your standard developer release schedule.Adobe (really just Reader)Adobe Reader has been updated ( APSB22-46) to solve six memory vulnerabilities . With this release, Adobe has also updated the release documentation to include Known issuesand plannedRelease Notes

. These notes cover both Windows and MacOS and both versions of Reader (DC and Continuous). All six reported vulnerabilities have the lowest Adobe rating, 3, for which Adobe helpfully offers the following remediation guidance:

Adobe recommends that administrators install the update at their discretion.”

We agree — add these Adobe Reader updates to your standard patch deployment schedule.Copyright © 2022 IDG Communications, Inc.

Share.

Comments are closed.