Credit to Author: Greg Lambert| Date: Fri, 14 Jan 2022 12:10:00 -0800
For this week’s Patch Tuesday, the first of the year, Microsoft addressed 97 security issues, six of them rated critical. Though six vulnerabilities have been publicly reported, I do not classify them as zero-days. Microsoft has fixed a lot of security related issues and is aware of several known issues that may have inadvertently caused significant server issues including:
There are a variety of known issues this month, and I’m not sure whether we’ll see more issues reported with the January server patches. You can find more information on the risk of deploying these latest updates with our helpful infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature added.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the company’s latest builds, including:
Microsoft is working on the Windows 11 issues, but has yet to respond to the Hyper-V, ReFS, or Domain Controller problems. One of the best ways to see whether known issues might affect your target platform is to check out the many configuration options for downloading patch data at the Microsoft Security Update guidance site or the summary page for this month’s security update.
Microsoft has not released any major revisions (or minor documentation changes) for the January Patch release.
Although there are no published mitigations or workarounds relating to the January patches, we expect a response from Microsoft to the Server 2022 patch-related issues within the next few days.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
This month sees a mixed bag of updates for Microsoft browsers. Though we don’t get any patches for the legacy browsers, Microsoft has released five updates that are specific to the Chromium version of Edge. In addition to these changes, the Chromium project has released a further 24 updates to the Chromium browser core. You can find more information about the Microsoft updates here, with the release notes for the Chromium project updates found here. Microsoft has published detailed information on the Microsoft Edge-specific issues (found in the Security Update Guide) while Google refrains from publishing detailed security and vulnerability information until all patches are released.
Add these Chrome (Edge and Chromium) updates to your regular scheduled update release schedule.
This is a significant update to the Windows platform with seven updates rated critical, and a hefty 80 patches rated as important. There are now several reported issues with this month’s server patches affecting (probably all) Windows domain controllers. If you are seeing the following error message post update — “The system process ‘C:Windowssystem32lsass.exe’ terminated unexpectedly with status code -1073741819. The system will now shut down and restart.” — you are not alone. There are also significant numbers of reports that virtual machines on recently updated Hyper-V do not start.
Normally, we would recommend a significant testing cycle before a production release of Windows updates. However this month’s update addresses CVE-2022-21907 “which is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds”, said Danny Kim, principal architect at Virsec. The CVE is the latest example of how software capabilities can be warped and weaponized; it targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata by providing a specially crafted message that can lead to remote code execution.
Microsoft says this vulnerability is “wormable” so we recommend that you add this month’s Windows update to your “Patch Now” schedule.
Windows Testing Guidelines
This month’s Windows patches included a major update to NTFS (with no functional changes); for more information and suggested testing scenarios, refer to the Microsoft document Transactional NTFS (TxF).
Microsoft has released four updates for the venerable Office productivity suite (one rated critical, the remaining three, important). The critical patch (CVE-2022-21840) addresses a remote code execution vulnerability in the Microsoft Core libraries that (thankfully) requires user interaction such as the following scenario by Microsoft: “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.” So, it’s 2022 and by clicking on an email, we can just give it all away.
Microsoft has confirmed that these four patches fully address the issue, so please add this update to your standard Office patch release schedule.
There are three updates to the Microsoft Exchange Server platform this month. With two rated as important (CVE-2022-21969 and CVE-2022-21855), the focus should be on the critical patch CVE-2022-21846. This vulnerability has a very high CVSS rating of 9.0. However, the risk of exploitation is much reduced due to the propagation nature of this vulnerabilities’ attack vector. To be successful, an attacker must be present on the network or able to access an adjacent component on the target system (such as Bluetooth).
Microsoft offered the following testing guidelines for these three patches, which include:
Fortunately, we are not expecting the challenging configuration issues this month that we’ve seen in past updates. So, “test before deploy” and add these Exchange updates to your standard server update schedule.
Microsoft development platforms
For this cycle, Microsoft released a single update (CVE-2022-21911) rated as important for its development platforms. This denial-of-service attack does not require user interaction or admin privileges to succeed in compromising a target system. Microsoft has published an official fix for the issue, which may affect .NET COM servers and REGEX expressions. These components will need some testing before deployment of the singular .NET update. You may also have to download these and future updates in a separate file for .NET 4.8 patches.
Microsoft has published a blog on .NET 4.8 release cadences and methodologies. Add this update to your regular patch release schedule.
Adobe (really just Reader)
It’s back with a vengeance! Adobe has published so many vulnerabilities for its Adobe Reader (and Acrobat) products, I initially thought that the long list of memory related issues addressed the entire Adobe suite.
Adobe Reader has seen no less than 26 updates, with 15 rated critical, three as important, and another seven as moderate. All versions are affected, and all currently supported platforms will require an update. You can read more about this (very) long list of updates here. Add these Adobe updates to your “Patch Now” schedule.