The Patch Tuesday focus for April: Windows and Exchange (again)

Credit to Author: Greg Lambert| Date: Fri, 16 Apr 2021 10:57:00 -0700

On Tuesday, MIcrosoft rolled out another broad series of updates across its Windows ecosystems, including four vulnerabilities affecting Windows that have been publicly disclosed and one security flaw — reportedly exploited already — that affects the Windows kernel. That means the Windows updates get our highest “Patch Now” rating, and if you have to manage Exchange servers, be aware that the update requires additional privileges and extra steps to complete.

It also looks as if Microsoft has announced a new way to deploy updates to any device, wherever it is located, with the Windows Update for Business Service. For more information on this cloud-based management service, you can check out this Microsoft video or this Computerworld FAQ. I have included ahelpful infographic which this month looks a little lopsided (again) as all of the attention should be on the Windows and Exchange components.

Due to the major update to the Disk Management utility this month (which we consider high-risk), we recommend testing partition formatting and partition extensions. This month’s update also includes changes to the following lower-risk Windows components:

The Windows Servicing stack (including Windows Update and MSI Installer) was updated this month with CVE-2021-28437, so larger deployments may want to include a test of install, update, self-heal, and repair functionality in their application portfolio.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the latest builds from Microsoft, including:

You can find Microsoft’s summary of known issues for this release in a single page.

For this April update cycle, Microsoft published a single major revision:

As of now, it does not appear Microsoft has published any mitigations or workarounds for this April release.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

For the past 10 years, we have reviewed potential impacts from changes to Microsoft browsers (Internet Explorer and Edge) due to the nature of interdependent libraries on Windows systems (both desktop and servers). Internet Explorer (IE) used to have direct (some would say too direct) integration with the OS, which meant managing any change in the OS (most problematically for servers). As of this month, this is no longer the case; Chromium updates are now a separate code-base and application entity and Microsoft Edge (Legacy) will now automatically be removed and replaced with the Chromium code-base. You can read more about this update (and removal) process online.

I think this is welcome news, as the constant recompiles of IE and the subsequent testing profile were a heavy burden for most IT admins. It’s also nice to see that the Chromium update cycle is moving from a six-week cycle to a four-week cycle in tune with the Microsoft update cadence. Given the nature of these changes to the Chromium browser, add this update to your standard patch release schedule.

This month, Microsoft worked to address 14 critical vulnerabilities in Windows and 68 remaining security issues rated as important. Two of the critical issues relate to Media Player; the remaining 12 relate to problems in the Windows Remote Procedure Call (RPC) function. We have broken down the remaining updates (including important and moderate ratings) into the following functional areas:

For testing these functional groups, refer to the recommendations detailed above. For the critical patches: testing Windows Media Player is easy, while testing RPC calls both within and between applications is another matter. To make matters worse, these RPC issues, though not worm-able, are serious individually and dangerous as a group. As a result of these concerns, we recommend a “Patch Now” release schedule for this month’s updates.

As we assess the Office Updates for each monthly security release, the first questions I usually ask of Microsoft’s Office updates are:

Fortunately this month, all of the four issues addressed by Microsoft this month are rated as important and have not landed in any of the above three “worry bins.” In addition to these security basics, I have the following questions for this April Office update:

If you are running ActiveX controls, please don’t. If you are running Office 2007, now is a really good time to move to something supported (like Office 365). And, if you are experiencing language issues, please refer to this support note (KB5003251) from Microsoft on how to reset your language settings post-update. The Office, Word, and Excel updates are major updates and will require a standard testing/release cycle. Given the lower urgency of these vulnerabilities, we suggest you add these Office updates to your standard release schedule.

Unfortunately, Microsoft Exchange has four critical updates that need attention. It’s not super urgent like last month, but we have given them a “Patch Now” rating. Some attention will be required when updating your servers this time. There have been a number of reported issues with these updates when applied to servers with UAC controls in place.

When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. Make sure to run this update as an administrator or your server may be left in a state between updates, or worse in a disabled state. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web (OWA) and the Exchange Control Panel (ECP) might stop working.

This month, a reboot will definitely be required for your Exchange Servers.

Microsoft development platforms

Microsoft has released 12 updates, all rated as important for April. All of the addressed vulnerabilities have a high CVSS rating of 7 or above and cover the following Microsoft product areas:

Looking at these updates and how they have been implemented this month, I find it hard to see how there could be an impact beyond the very minor changes to each application. Microsoft has not published critical testing or mitigation for any of these updates, so we recommend a standard “Developer” release schedule for them.

I can’t believe it. No further word on Adobe updates. No crazy Flash vulnerabilities to hijack your schedule this month. So, in the words of my favorite news reader, No Gnus is good Gnus.

We will retire this section next month and break out the Office and Exchange updates into separate sections for easier readability.