Patch Tuesday: Two zero-day flaws in Windows zero-days immediate attention
Microsoft’s December Patch Tuesday updated delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).
Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. (The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates.)
And Windows Hot-Patching for Azure Virtual Machines (VMs) is now available.
Each month, Microsoft includes a list of known issues that relate to the OS and platforms included in this update cycle.
In preparation for the month’s update to Windows 10 and 11 systems, we recommend runningan assessment on all application packages and look for a dependency on the system file SQLSRV32.DLL. If you need to inspect a specific system, open a command prompt and run the command “tasklist /m sqlsrv32.dll.” This should list any processes that depend on this file.
Microsoft published just one revision this month, with no other revisions to previous patches or updates released.
While there were several documentation updates and FAQs added to this release, Microsoft published a single mitigation:
Each month, the team at Readiness analyzes the latest updates and provides testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given the large number of changes included this cycle, I have broken down the testing scenarios into high-risk and standard-risk groups.
High Risk: This month, Microsoft has not recorded any high-risk functionality changes. This means it has not made major changes to core APIs or functionality to any of the core components or applications included in the Windows desktop and server ecosystems.
More generally, given the broad nature of this update (Office and Windows) we suggest testing the following Windows features and components:
In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios for this update:
Following last month’s update to Kerberos authentication, there were several reported issues related to authenticating, especially across remote-desktop connections. Microsoft detailed the following scenarios and related issues addressed this month:
All these scenarios require significant testing before a general deployment of the December update.
Unless otherwise specified, we should now assume that each Patch Tuesday update will require testing of core printing functions including:
This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms. As this is an end-of-year update, there are quite a few “End of Service” changes, including:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Following a welcome trend of no critical updates to Microsoft’s browsers, this update delivers just three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated important. These updates affect the Microsoft Chromium browser and should have marginal to low impact on your applications. Add these updates to your standard patch release schedule.
Microsoft released patches to the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated important and two rated moderate. Unfortunately, this month we have those two zero-days affecting Windows with reports of CVE-2022-44698 exploited in the wild and CVE-2022-44710 publicly disclosed. We have crafted specific testing recommendations, noting that there are reported issues with Kerberos, Hyper-V and ODBC connections.
Add this update to your “Patch Now” release schedule.
Microsoft addressed two critical vulnerabilities in SharePoint Server (CVE-202244693 and CVE-2022-44690) that are relatively easy to exploit and do not require user interaction. The remaining two vulnerabilities affect Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are low-profile, low impact changes. Unless you’re hosting your own SharePoint servers (oh, why?), add these Microsoft updates to your standard release schedule.
Microsoft has not released any updates, patches or security mitigations for Microsoft Exchange Server. Phew!
Microsoft addressed two critical vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Though both security issues are rated critical, they require local admin access and are considered both difficult and complex to exploit. Mark Russinovich’s Sysmon also needs an update with the elevation-of-privilege vulnerability CVE-2022-44704 and all supported versions of Visual Studio will be patched. Add these updates to your standard developer release schedule.
Adobe has released three category 3 (equivalent to Microsoft’s rating of important) updates to Illustrator, Experience Manager and Campaign (Classic). No updates to Adobe Reader this month.