Credit to Author: Greg Lambert| Date: Fri, 17 Jun 2022 12:09:00 -0700
June’s Patch Tuesday updates, released on June 14, address 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (though there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows component, CVE-2022-30190, led to a “Patch Now” recommendation for Windows, while the .NET, Office and SQL Server updates can be included in a standard release schedule.
You can find more information on the risk of deploying these Patch Tuesday updates in this infographic.
Given the large number of changes included in this June patch cycle I have broken out the testing scenarios for high risk and standard risk groups.
These high-risk changes are likely to include functionality changes, may deprecate existing functions, and will likely require new testing plans. Test your signed drivers using physical and virtual machines, (BIOS and UEFI) and across all platforms (x86, 64-bit):
Each of these high-risk test cycles must include a manual shut-down, reboot, and restart. The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:
In addition to these standard testing guidelines, we recommend that all core applications undergo a testing regime that includes self-repair, uninstall, and update. This is due to the changes to Windows Installer (MSI) this month. Not enough IT departments test the update, repair, and uninstall functions of their application portfolio. It’s good to challenge each application package as part of the Quality Assurance (QA) process that includes the key application lifecycle stages of installation, activation, update, repair, and then uninstall.
Not testing these stages could leave IT systems in an undesirable state — at the very least, it will be an unknown state.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms affected this cycle. This month, there are some complex changes to consider, including:
As you may be aware, Microsoft published an out-of-band update (OOB) last month (on May 19). This update affected the following core Windows Server based networking features:
The security vulnerabilities addressed by this OOB update only affects servers operating as domain controllers and application servers that authenticate to domain controller servers. Desktop platforms are not affected. Due to this earlier patch, Microsoft has recommended that this June’s update be installed on all intermediate or application servers that pass authentication certificates from authenticated clients to the domain controller (DC) first. Then install this update on all DC role computers. Or pre-populate CertificateMappingMethods to 0x1F as documented in the registry key information section of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting only after the June 14 update has been installed on all intermediate or application servers and all DCs.
Did you get that? I must note with a certain sense of irony, that the most detailed, order-specific set of instructions that Microsoft has ever published (ever), are buried deep, mid-way through a very long technical article. I hope everyone is paying attention.
Though we have fewer “new” patches released this month, there are a lot of updated and newly released patches from previous months, including:
I think that we can safely work through the Visual Studio updates, and the Endpoint Configuration Manager changes will take some time to implement, but both changes do not have significant testing profiles. DCOM changes are different — they are tough to test and generally require a business owner to validate not just the installation/instantiation of the DCOM objects, but the business logic and the desired outcomes. Ensure that you have a full list of all applications that have DCOM dependencies and run through a business logic test, or you may have some unpleasant surprises — with very difficult-to-debug troubleshooting scenarios.
For this Patch Tuesday, Microsoft published one key mitigation for a serious Windows vulnerability:
Making this change will require a restart of the target server.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
We are seeing a welcome trend of fewer and fewer critical updates to the entire Microsoft browser portfolio. For this cycle, Microsoft has released five updates to the Chromium version of Edge. They are all low risk to deploy and resolve the following reported vulnerabilities:
A key factor in this downward trend of browser related security issues, is the decline and now retirement of Internet Explorer (IE). IE is officially no longer supported as of this July. The future of Microsoft’s browsers is Edge, according to Microsoft. Microsoft has provided us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your standard application release schedule.
With 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the primary focus — especially given the low-risk, low-profile updates to Microsoft Browsers, Office, and development platforms (.NET). The Windows updates cover a broad base of functionality, including: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker components. As mentioned earlier, the most difficult-to-test and troubleshoot will be the kernel updates and the local security sub-system (LSASS). Microsoft recommends a ring-based deployment approach, which will work well for this month’s updates, primarily due to the number of core infrastructural changes that should be picked up in early testing. (Microsoft has published another video about the changes this month to the Windows 11 platform, found here.)
Microsoft has fixed the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the other three critical updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) leads to a “Patch Now” recommendation.
Microsoft released seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core foundation library), all of them rated important. The SharePoint server updates are relatively low risk, but will require a server reboot. We were initially worried about the RCE vulnerability in Excel, but on review it appears that the “remote” in Remote Code Execution refers to the attacker location. This Excel vulnerability is more of an Arbitrary Code Execution vulnerability; given that it requires user interaction and access to a local target system, it is a much-reduced risk. Add these low-profile Office updates to your standard patch deployment schedule.
We have a SQL server update this month, but no Microsoft Exchange Server updates for June. This is good news.
Microsoft has released a single, relatively low-risk (CVE-2022-30184) update to the .NET and Visual Studio platform. If you are using a Mac (I love the Mac version of Code), Microsoft recommends that you update to Mac Visual Studio 2022 (still in preview) as soon as possible. As of July (yes, next month) the Mac version of Visual Studio 2019 will no longer be supported. And yes, losing patch support in the same month as the next version is released is tight. Add this single .NET update to your standard development patch release schedule.
There are no Adobe Reader or Acrobat updates for this cycle. Adobe has released a security bulletin for their other (non-Acrobat or PDF related) applications — all of which are rated at the lowest level 3 by Adobe. There will be plenty of work with printers in the coming weeks, so this is a welcome relief.