Critical zero-days make September's Patch Tuesday a 'Patch Now' release
With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday release gets a “Patch Now” priority. Key testing areas include printing, Microsoft Word, and in general application un-installations. (The Microsoft Office, .NET and browser updates can be added to your standard release schedules.)
You can find more information on the risk of deploying these Patch Tuesday updates with this helpful infographic.
Given the large number of changes included in the September patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups:
High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require the creation of new testing plans:
The following updates are not documented as functional changes, but still require a full test cycle:
In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios for this update:
Testing these important and often updated features is now a fact of life for most IT departments, requiring dedicated time, personal and specialised processes to ensure repeatable consistent results.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.
Starting at 12 a.m. Saturday, Sept.10, the official time in Chile advanced 60 minutes in accordance with the Aug. 9 announcement by the Chilean government of a daylight-saving time (DST) time zone change. This moved the DST shift from Sept. 4 to Sept. 10; the time change will affect Windows apps, timestamps, automation, workflows, and scheduled tasks. (Authentication processes that rely on Kerberos may also be affected.)
As of Sept. 16, Microsoft has not published any major revisions to its security advisories.
There are four mitigations and workarounds included in this Patch Tuesday release, including:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has released a single update to the Edge browser (CVE-2022-38012) that has been rated as low ,even though it could lead to remote code execution scenario due to its difficult exploitation chain. In addition, there are 15 updates to the Chromium project. Slightly out of sync with Patch Tuesday, Microsoft released the latest version of the Edge Stable channel on Sept. 15 that contains a fix for CVE-2022-3075. You can read more about this update’s release notes and can find out more about Chromium updates. Add these low-profile browser updates to your standard release schedule.
Note: you will have to deploy a separate application update to Edge — this may require additional application packaging, testing, and deployment.
Microsoft addressed three critical issues (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 issues rated important this month. This is another broad update that covers the following key Windows features:
For Windows 11 users, here is this month’s Windows 11 video update. The three critical updates all have NIST ratings of 9.8 (out of 10). Coupled with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) these make this month’s Windows update a “Patch Now” release.
Microsoft released seven security patches to the Office platform affecting Visio, PowerPoint, SharePoint and SharePoint Server. The Microsoft Visio and PowerPoint updates are low-profile deployments that should be added to your standard Office update schedules. The SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) are not rated critical, but they could lead to a remote code execution scenario (though difficult to exploit). We recommend adding these two updates to your server update schedule, noting that all patched SharePoint Servers will require a restart.
Fortunately for us (and all IT admins) Microsoft has not published any security advisories for Microsoft Exchange products this month.
Microsoft published three updates rated important for their developer tools platform (CVE-2022-26929, CVE-2022-38013 and CVE-2022-38020) affecting Microsoft .NET and the Visual Studio platform. These three updates are relatively low risk to deploy and should be added to your standard developer release schedule.
Adobe published six security bulletins affecting: Animate, Bridge, Illustrator, InCopy, InDesign and RoboHelp. However, there were no updates to Adobe Reader or other related PDF products. This may be the result of Adobe being otherwise engaged with the $20 billion purchase of Figma.