Patch Tuesday update addresses 123 vulnerabilities, two critical zero-days
Credit to Author: Greg Lambert| Date: Sat, 13 Aug 2022 04:58:00 -0700
Microsoft’s August Patch Tuesday release addresses 123 security issues in Microsoft Windows, Office, Exchange (it’s back!) and Visual Studio — and unfortunately, we have two zero-days with reports of active exploitation in the wild. Since this is a broad update, it will require planning and testing before deployment.
The first (CVE-2022-34713) occurs in the Windows diagnostic tools and the second (CVE-2022-30134) affects Microsoft Exchange. Basically, the holidays are over and it’s time to pay attention to Microsoft updates again. We have made “Patch Now” recommendations for Windows, Exchange and Adobe for this month.
You can find more information on the risk of deploying these Patch Tuesday updates in this infographic.
Given the large number of changes included in this August patch cycle, I have broken down the testing scenarios into high risk and standard risk groups:
High Risk: These are likely to include functionality changes, may deprecate existing functionality and will likely require creating new testing plans:
The following updates are not documented as functional changes, but still require a full test cycle:
Given the changes to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it may be worth having a look at some Microsoft testing platforms such as the Microsoft Test Authoring and Execution Framework (TAEF). You will have to know C++ or C# and you will need the Windows Driver kit (WDK). Noting that for each of these testing scenarios, a manual shut-down, reboot and restart is suggested, with a focus on Boot Manager entries in the event viewer logs.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. This month, there are some really complex changes:
And for the latest release of Windows 11, it looks as if this month’s update may lead to the utility XPS Viewer behaving badly (using increasing processor and memory resources) before closing unexpectedly (i.e. badly). A reboot will solve the issue until Microsoft posts a fix.
Though we have fewer “new” patches released this month, there are a lot of updated and newly released patches from previous months:
Probably the most important workaround this month relates to Microsoft Outlook crashing and locking up immediately after start-up. Microsoft explains, “When you start Outlook Desktop, it gets past loading profile and processing, briefly opens, and then stops responding,” Microsoft is currently working on the issue and we expect an update soon. Microsoft offered the following workarounds:
You can find out more about Microsoft Diagnostic settings here. This is a little embarrassing for Microsoft as this is another significant Office issue following the recent Uber receipt crashing issue.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers
Microsoft released three updates to its Edge browser (CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796). Following a trend, none of these are rated as critical. There were also 17 updates to the Chromium project. Google has published all these changes in its update log. For further information, refer to the Chromium security update page. Along with these security fixes, there were a few new features in the latest stable release (103) which can be found here. Add these low-profile updates to your standard patch release schedule.
Windows
Microsoft addressed 13 critical issues and 43 issues rated important this month. This is fairly broad update that covers the following key Windows features:
In addition to this large update, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability) has been reported as both publicly disclosed and exploited in the wild, making this a serious Windows zero-day. This serious Windows security flaw is a path traversal flaw that attackers can exploit to copy an executable to the Windows Startup folder when a user opens a specially-crafted file through an email client or downloaded from the web. In lighter news, you can find the latest Windows 11 update video here. Add these critical Windows updates to your “Patch Now” release schedule.
Microsoft released an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (both 32- and 64-bit) relating to VBA projects and Microsoft Access. This month’s release cycle delivers only four updates, all rated important. Microsoft Excel, Outlook and a few core Microsoft Office libraries are affected, with the most serious leading to remote code execution scenarios. Fortunately, all of these security issues have official fixes from Microsoft and are all relatively difficult to exploit, particularly in a well-managed enterprise environment. Add these low-profile updates to your standard release schedule.
Unfortunately we have six updates for Microsoft Exchange Server, with three rated critical and the remaining three rated important. As promised in May, Microsoft has updated its patching process to include self-extracting EXE’s. You will not find these latest updates in the Microsoft catalog, so I have included a list of updates available for the following specific builds of Exchange Server:
Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which allows an attacker to read targeted email messages, Microsoft has recommended you apply these security related fixes immediately (italics added by Microsoft). To get the latest updates, you may also have to run the Exchange SetupAssist PowerShell script.
Your organization may already be comfortable with the new update format, but if you are in doubt about the status of your Exchange servers, you can run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me a while just to walk through the patching decision/logic trees this month, never mind troubleshooting failed Exchange updates. Add this month’s updates to your “Patch Now” schedule, noting that all updates this month will require a server reboot.
Microsoft released five updates rated as important for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is really tough to exploit and depends upon successfully executing a technically challenging blind “external entity” injection (XXE) attack. The remaining Visual Studio vulnerabilities relate to remote code execution (RCE) scenarios exploited through a local email client (requiring the user to open a specially crafted file). Add these updates to your standard developer update schedule.
Who would have thought it? We are back this August with three updates rated critical and four as important for Adobe Reader. APSB22-39 has been published by Adobe but not included by Microsoft in this month’s patch cycle. All seven reported vulnerabilities relate to memory leak issues and could lead to a remote code execution scenario (RCE), requiring immediate attention. Add these Adobe updates to your “Patch Now” schedule.