Patch Tuesday includes 6 Windows zero-day flaws; patch now!

Microsoft on Tuesday released a tightly focused but still significant update that addresses 68 reported (some publicly) vulnerabilities. Unfortunately, this month brings a new record: six zero-day flaws affecting Windows. As a result, we have added both the Windows and Exchange Server updates to our “Patch Now” schedule. Microsoft also published a “defense in depth” advisory (ADV220003) to help secure Office deployments. And there are a small number of Visual Studio, Word, and Excel updates to add to your standard patch release schedule.

You can find more information on the risks of deploying these Patch Tuesday updates in our infographic.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. There are two major reported issues with Windows 11 — both related to deploying and updating Windows 22H2 machines:

In addition to these issues, Microsoft SharePoint Server has experienced two issues with the November and September updates:

Technically speaking, Microsoft published eight revisions this month, all for the Chromium Edge browser. In practice, these “revisions” were standard updates to the Microsoft Edge browser and have been included in our Browser section. No other revisions to previous patches or updates were released this month.

A single work-around has been published for the November Patch Tuesday: 

No other mitigations or workarounds for Microsoft platforms were released.

Each month, the Readiness team analyzes the patches applied to Windows, Microsoft Office, and related technology/development platforms. We look at each update, the individual changes and the potential impact on enterprise environments. These testing scenarios offer some structured guidance on how to best deploy Windows updates to your environment.

High Risk: This month, Microsoft did not report any high-risk functionality changes, meaning it has not updated nor made major changes to core APIs, functionality or any of the core components or applications included in the Windows desktop and server ecosystems.

More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:

There were several updates to how group policies are implemented on  Windows platforms this month. We suggest spending some time ensuring that the following features are working:

And, with all testing regimes required when making changes to Microsoft GPOs, remember to use the “gpupdate /force” command to ensure that all changes have been committed to the target system.

Who uses the Windows Overlay Filter Feature?

System engineers, that’s who. If you have had to build client machines for large automated enterprise deployments you may have to work with the Windows Overlay Filter (WoF) driver for WIM boot files. WoF  allows for significantly better compression ratios of installation files and was introduced in Windows 8. If you are in the middle of a large client-side deployment effort this month, ensure that your WIM files are still accessible after the November update. If you’re looking for more information on this key Windows deployment feature, check out this blog post on WoF data compression.

Unless otherwise specified, we should assume that each Patch Tuesday update will require testing of core printing functions including:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Including last week’s mid-cycle update to Microsoft Edge (Chromium) there are 10 updates to the Chromium core and eight patches to Edge, for a total of 18 changes. For the 10 Chrome updates, you can refer to the Chrome Security page for more details. You can find links to all of the Microsoft updates here: CVE-2022-3652, CVE-2022-3653, CVE-2022-3654, CVE-2022-3655, CVE-2022-3656, CVE-2022-3657, CVE-2022-3660, CVE-2022-3661. All 18 updates are low-profile, low-impact updates to the browser stack and can be added to your standard desktop update schedule.

There’s good and bad news this month for Windows. The bad news is we have six Windows zero-days with both publicly reported vulnerabilities and reported exploits in the wild. The good news is that only one of the vulnerabilities (which is incredible) is rated critical by Microsoft. This month’s update covers the following Windows features:

We are seeing some reports of problems this month with Kerberos. In response, Microsoft has provided two Knowledge Base articles on how to handle the November changes:

Given the nature of these reported zero-days, and accounting for the relatively narrow change profile this month, we recommend immediate patching for all Windows systems. Add these Windows updates to your “Patch Now” schedule — and this time we really mean it.

Microsoft released eight updates to the Office platform, affecting Word, Excel and SharePoint server. There were no critical updates this month (no preview pane vulnerabilities), with each patch rated important by Microsoft. In addition, Microsoft released a “Defense in Depth” advisory (ADV220003) for Office. These Microsoft advisories cover the following enhanced protection features:

These features are worth further examination; you can read more about these and other preventative security measures here. Add these low-impact Microsoft Office updates to your standard release schedule.

Unfortunately, we have Microsoft Exchange Server updates back on the roster this month. Microsoft released four updates; one (CVE-2022-41080) was rated as critical and the other three as important. The critical elevation of privilege vulnerability in Exchange has a rating of CVSS 8.8 and though we don’t see reported exploits, this is a serious low-complexity network accessible issue. Exchange administrators need to patch their servers this weekend. Add this to your “Patch Now” release schedule.

Microsoft released four updates, all rated important, to its Visual Studio platform. Both the Visual Studio and Sysmon tools are low profile, non-urgent updates to discrete Microsoft developer tools. Add these to your regular developer patch schedule.

No updates from Adobe for November. Given the number of patches released last month, this is no surprise. We may see another big update from Adobe in December, given its normal update/release cadence.