April's Patch Tuesday: a lot of large, diverse and urgent updates
Credit to Author: Greg Lambert| Date: Fri, 15 Apr 2022 10:40:00 -0700
This week’s Patch Tuesday release was huge, diverse, risky, and urgent, with late update arrivals for Microsoft browsers (CVE-2022-1364) and two zero-day vulnerabilities affecting Windows (CVE-2022-26809 and CVE-2022-24500). Fortunately, Microsoft has not released any patches for Microsoft Exchange, but this month we do have to deal with more Adobe (PDF) printing related vulnerabilities and associated testing efforts. We have added the Windows and Adobe updates to our “Patch Now” schedule, and will be watching closely to see what happens with any further Microsoft Office updates.
As a reminder, Windows 10 1909/20H2 (Home and Pro) will reach their end of servicing dates on May 10. And if you are looking for an easy way to update your server-based .NET components, Microsoft now has .NET auto-update updates for servers. You can find more information on the risk of deploying these Patch Tuesday updates in this useful infographic.
Given what we know so far, there are three reported high-risk changes included in this month’s patch release, including:
More generally, given the large number and diverse nature of the changes for this month’s cycle, we recommend testing the following areas:
Microsoft has updated a number of APIs, including key file and kernel components (FindNextFile, FindFirstStream and FindNextStream). Given the ubiquity of these common API calls, we suggest creating a server stress test that employs very heavy local file loads and pay particular attention to the Windows Installer update that requires both install and uninstall testing. Validating application uninstallation routines has fallen out of vogue lately due to improvements with application deployment, but the following should be kept in mind when applications are removed from a system:
I have found that keeping application uninstallation Installer logs and comparing (hopefully the same) information across updates is probably the only accurate method — “eyeballing” a cleaned system is not sufficient. And finally, given the changes to the kernel in this update, test (smoke test) your legacy applications. Microsoft has now included deployment and reboot requirements in a single page.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle. There are more than usual this month, so I have referenced a few key issues that relate to the latest builds from Microsoft, including:
For more information about known issues, please visit the Windows Health Release site.
This month, we see two major revisions to updates that have been previously released:
Mitigations and workarounds
This is a large update for a Patch Tuesday, so we have seen a larger-than-expected number of documented mitigations for Microsoft products and components, including:
And for the following reported vulnerabilities, Microsoft recommends “blocking port 445 at the perimeter firewall.”
You can read more here about securing these vulnerabilities and your SMB networks.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers
There were no critical updates to any of Microsoft’s browsers. There were 17 updates to the Chromium project’s Edge browser, which, given how they were implemented, should have marginal to no effect on enterprise deployments. All these updates were released last week as part of the Chromium update cycle. However, it looks like we will see another set of critical/emergency Chrome updates with reports of CVE-2022-1364 exploited in the wild. This will be the third set of emergency updates this year.
If your IT team is seeing large numbers of unexpected browser crashes, you may be vulnerable to this very serious type confusion issue in the V8 JavaScript engine. Microsoft has not released any updates this month for its other browsers. So, now is a good time to ensure your emergency change management practices are in place to support large, very rapid changes to key desktop components (such as browser updates).
Windows
This Patch Tuesday delivered a large number of updates to the Windows platform. With over 117 reported fixes (now 119) covering key components of both desktop and server platforms including:
With all of these varied patches, this update carries a diverse testing profile and, unfortunately with the recent reports of CVE-2022-26809 and CVE-2022-24500 exploited in the wild, a sense of urgency. In addition to these two worm-able, zero-day exploits, Microsoft has recommended immediate mitigations (blocking network ports) against five reported vulnerabilities. We have also been advised that for most large organizations, testing Windows installer (install, repair and uninstall) is recommended for core applications, further increasing some of the technical effort required before general deployment of these patches. And, yes, printing is going to be an issue. We suggest a focus on printing large PDF files over remote (VPN) connections as a good start to your testing regime.
Add this large Windows update to your “Patch Now” release schedule.
Though Microsoft has released five updates for the Office platform (all rated as important), this is really a “let’s update Excel release” with CVE-2022-24473 and CVE-2022-26901 addressing potential arbitrary code execution (ACE) issues. These are two serious security issues that when paired with an elevation-of-privilege vulnerability leads to a “click-to-own” scenario. We fully expect that this vulnerability will be reported as exploited in the wild in the next few days. Add these Microsoft Office updates to your standard patch release schedule.
Microsoft Exchange Server
Fortunately for us, Microsoft has not released any update for Exchange Server this month. That said, the return of Adobe PDF issues should keep us busy.
Microsoft development platforms
For this cycle, Microsoft released six updates (all rated as important) to its development platform affecting Visual Studio, GitHub, and the .NET Framework. Both the Visual Studio (CVE-2022-24513 and CVE-2022-26921) and the GitHub (CVE-2022-24765, CVE-2022-24767) vulnerabilities are application-specific and should be deployed as application-specific updates. However, the .NET patch (CVE-2022-26832) affects all currently supported .NET versions and will likely be bundled with the latest Microsoft .NET quality updates (read more about these updates here). We recommend deploying the .NET April 22 quality updates with this month’s patches to reduce your testing time and deployment effort.
Adobe (really just Reader)
Well, well, well…, what do we have here? Adobe Reader is back this month with PDF printing causing more headaches for Windows users. For this month, Adobe has released APSB22-16, which addresses over 62 critical vulnerabilities in how both Adobe Reader and Acrobat handle memory issues (see Use after Free) when generating PDF files. Almost all of these reported security issues could lead to remote code execution on the target system. Additionally, these PDF related issues are linked to several Windows (both desktop and server) printing issues addressed this month by Microsoft.
Add this update to your “Patch Now” release schedule.