May's Patch Tuesday updates make urgent patching a must
Credit to Author: Greg Lambert| Date: Sat, 14 May 2022 05:51:00 -0700
This past week’s Patch Tuesday started with 73 updates, but ended up (so far) with three revisions and a late addition (CVE-2022-30138) for a total of 77 vulnerabilities addressed this month. Compared with the broad set of updates released in April, we see a greater urgency in patching Windows — especially wiith three zero-days and several very serious flaws in key server and authentication areas. Exchange will require attention, too, due to new server update technology.
There were no updates this month for Microsoft browsers and Adobe Reader. And Windows 10 20H2 (we hardly knew ye) is now out of support.
You can find more information on the risks of deploying these Patch Tuesday updates in this helpful infographic, and the MSRC Center has posted a good overview of how it handles security updates here.
Given the large number of changes included with this May patch cycle, I’ve broken down the testing scenarios into high-risk and standard-risk groups:
High Risk: These changes are likely to include functionality changes, may deprecate existing functions and will likely require creating new testing plans:
The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment of May’s patches:
This month’s testing will require several reboots to your testing resources and should include both (BIOS/UEFI) virtual and physical machines.
Microsoft includes a list of known issues that affectthe operating system and platforms included in this update cycle:
Microsoft has really upped its game when discussing recent fixes and updates for this release with a useful update highlights video.
Though there is a much reduced list of patches this month compared to April, Microsoft has released three revisions including:
For May, Microsoft has published one key mitigation for a serious Windows network file system vulnerability:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has not released any updates to either its legacy (IE) or Chromium (Edge) browsers this month. We are seeing a downward trend of the number of critical issues that have plagued Microsoft for the past decade. My feeling is that moving to the Chromium project has been a definite “super plus-plus win-win” for both the development team and users.
Speaking of legacy browsers, we need to prepare for the retirement of IE coming in the middle of June. By “prepare” I mean celebrate — after, of course, we have ensured that legacy apps do not have explicit dependencies on the old IE rendering engine. Please add “Celebrate the retirement of IE” to your browser deployment schedule. Your users will understand.
The Windows platform receives six critical updates this month and 56 patches rated important. Unfortunately, we have three zero-day exploits, too:
In addition to these zero-day issues, there are three other issues that require your attention:
Given the number of serious exploits and the three zero-days in May, add this month’s Windows update to your “Patch Now” schedule.
Microsoft released just four updates for the Microsoft Office platform (Excel, SharePoint) all of which are rated important. All these updates are difficult to exploit (requiring both user interaction and local access to the target system) and only affect 32-bit platforms. Add these low-profile, low-risk Office updates to your standard release schedule.
Microsoft released a single update to Exchange Server (CVE-2022-21978) that is rated important and appears pretty difficult to exploit. This elevation-of-privilege vulnerability requires fully authenticated access to the server, and so far there have not been any reports of public disclosure or exploitation in the wild.
More importantly this month, Microsoft introduced a new method to update Microsoft Exchange servers that now includes:
This is an attempt to solve the problem of Exchange admins updating their server systems within a non-admin context, resulting in a bad server state. The new EXE format allows for command line installations and better installation logging. Microsoft has helpfully published the following EXE command line example:
“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains”
Note, Microsoft recommends that you have the %Temp% environment variable before using the new EXE installation format. If you follow the new method of using the EXE to update Exchange, remember you will still have to (separately) deploy the monthly SSU update to ensure your servers are up to date. Add this update (or EXE) to your standard release schedule, ensuring that a full reboot is actioned when all updates are completed.
Microsoft development platforms
Microsoft has released five updates rated important and a single patch with a low rating. All these patches affect Visual Studio and the .NET framework. As you will be updating your Visual Studio instances to address these reported vulnerabilities, we recommend that you read the Visual Studio April update guide.
To find out more about the specific issues addressed from a security perspective, the May 2022 .NET update blog posting will be useful. Noting that .NET 5.0 has now reached end of support and before you upgrade to .NET 7, it may be worth checking on some of the compatibility or “breaking changes” that need to be addressed. Add these medium-risk updates to your standard update schedule.
Adobe (really just Reader)
I thought that we might be seeing a trend. No Adobe Reader updates for this month. That said, Adobe has released a number of updates to other products found here: APSB22-21. Let’s see what happens in June — maybe we can retire both Adobe Reader and IE.