This past week's Patch Tuesday started with 73 updates, but ended up (so far) with three revisions and a late addition (CVE-2022-30138) for a total of 77 vulnerabilities addressed this month. Compared with the broad set of updates released in April, we see a greater urgency in patching Windows — especially wiith three zero-days and several very serious flaws in key server and authentication areas. Exchange will require attention, too, due to new server update technology.
There were no updates this month for Microsoft browsers and Adobe Reader. And Windows 10 20H2 (we hardly knew ye) is now out of support.
You can find more information on the risks of deploying these Patch Tuesday updates in this helpful infographic, and the MSRC Center has posted a good overview of how it handles security updates here.
Key testing scenarios
Given the large number of changes included with this May patch cycle, I've broken down the testing scenarios into high-risk and standard-risk groups:
High Risk: These changes are likely to include functionality changes, may deprecate existing functions and will likely require creating new testing plans:
- Test your enterprise CA certificates (both new and renewed). Your domain server KDC will automatically validate the new extensions included in this update. Look for failed validations!
- This update includes a change to driver signatures that now include timestamp checking as well as authenticode signatures. Signed drivers should load. Unsigned drivers should not. Check your application test runs for failed driver loads. Include checks for signed EXEs and DLLs too.
The following changes are not documented as including functional changes, but will still require at least "smoke testing" before general deployment of May's patches:
- Test your VPN clients when using RRAS servers: include connect, disconnect (using all protocols: PPP/PPTP/SSTP/IKEv2).
- Test that your EMF files open as expected.
- Test your Windows Address Book (WAB) application dependencies.
- Test BitLocker: start/stop your machines with BitLocker enabled and then disabled.
- Validate that your credentials are accessible via VPN (see Microsoft Credential Manager).
- Test your V4 printer drivers (especially with the later arrival of CVE-2022-30138).
This month's testing will require several reboots to your testing resources and should include both (BIOS/UEFI) virtual and physical machines.
Known issues
Microsoft includes a list of known issues that affectthe operating system and platforms included in this update cycle:
- After installing this month's update, Windows devices that use certain GPUs might cause apps to close unexpectedly, or generate an exception code (0xc0000094 in module d3d9on12.dll) in apps using Direct3D Version 9. Microsoft has published a KIR group policy update to resolve this issue with the following GPO settings: Download for Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1, and Windows 10, version 21H2.
- After installing updates released Jan. 11, 2022 or later, apps that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might fail or generate an access violation (0xc0000005) error. It appears that applications that depend on the System.DirectoryServices API are affected.
Microsoft has really upped its game when discussing recent fixes and updates for this release with a useful update highlights video.
Major revisions
Though there is a much reduced list of patches this month compared to April, Microsoft has released three revisions including:
- CVE-2022-1096: Chromium: CVE-2022-1096 Type Confusion in V8. This March patch has been updated to include support for the latest version of Visual Studio (2022) to allow for the updated rendering of webview2 content. No further action is required.
- CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This April patch has been updated to include ALL supported versions of Visual Studio (15.9 to 17.1). Unfortunately, this update may require some application testing for your development team, as it affects how webview2 content is rendered.
- CVE-2022-30138: Windows Print Spooler Elevation of Privilege Vulnerability. This is an informational change only. No further action is required.
Mitigations and workarounds
For May, Microsoft has published one key mitigation for a serious Windows network file system vulnerability:
- CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability. You can mitigate an attack by disabling NFSV2 and NFSV3. The following PowerShell command will disable those versions: "PS C:\Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $false." Once done. you will need to restart your NFS server (or preferably reboot the machine). And to confirm that the NFS server has been updated correctly, use the PowerShell command "PS C:\Get-NfsServerConfiguration."
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
Browsers
Microsoft has not released any updates to either its legacy (IE) or Chromium (Edge) browsers this month. We are seeing a downward trend of the number of critical issues that have plagued Microsoft for the past decade. My feeling is that moving to the Chromium project has been a definite "super plus-plus win-win" for both the development team and users.
Speaking of legacy browsers, we need to prepare for the retirement of IE coming in the middle of June. By "prepare" I mean celebrate — after, of course, we have ensured that legacy apps do not have explicit dependencies on the old IE rendering engine. Please add "Celebrate the retirement of IE" to your browser deployment schedule. Your users will understand.
Windows
The Windows platform receives six critical updates this month and 56 patches rated important. Unfortunately, we have three zero-day exploits, too:
- CVE-2022-22713: This publicly disclosed vulnerability in Microsoft's Hyper-V virtualization platform will require an attacker to successfully exploit an internal race condition to lead to a potential denial-of-service scenario. It's a serious vulnerability, but requires chaining several vulnerabilities to succeed.
- CVE-2022-26925: Both publicly disclosed and reported as exploited in the wild, this LSA authentication issue is a real concern. It will be easy to patch, but the testing profile is large, making it a tough one to deploy quickly. In addition to testing your domain authentication, ensure that backups (and restore) functions are working as expected. We highly recommend checking the latest Microsoft support notes on this ongoing issue.
- CVE-2022-29972: This publicly-disclosed vulnerability in the Redshift ODBC driver is pretty specific to Synapse applications. But if you have exposure to any of the Azure Synapse RBAC roles, deploying this update is a top priority.
In addition to these zero-day issues, there are three other issues that require your attention:
- CVE-2022-26923: this vulnerability in Active Directory authentication is not quite "wormable" but is so easy to exploit, I would not be surprised to see it actively attacked soon. Once compromised, this vulnerability will provide access to your entire domain. The stakes are high with this one.
- CVE-2022-26937: This Network File System bug has a rating of 9.8 - one of the highest reported this year. NFS is not enabled by default, but if you have Linux or Unix on your network, you are likely using it. Patch this issue, but we also recommend upgrading to NFSv4.1 as soon as possible.
- CVE-2022-30138: This patch was released post-Patch Tuesday. This print spooler issue only affects older systems (Windows 8 and Server 2012) but will require significant testing before deployment. It's not a super critical security issue, but the potential for printer-based issues is large. Take your time before deploying this one.
Given the number of serious exploits and the three zero-days in May, add this month's Windows update to your "Patch Now" schedule.
Microsoft Office
Microsoft released just four updates for the Microsoft Office platform (Excel, SharePoint) all of which are rated important. All these updates are difficult to exploit (requiring both user interaction and local access to the target system) and only affect 32-bit platforms. Add these low-profile, low-risk Office updates to your standard release schedule.
Microsoft Exchange Server
Microsoft released a single update to Exchange Server (CVE-2022-21978) that is rated important and appears pretty difficult to exploit. This elevation-of-privilege vulnerability requires fully authenticated access to the server, and so far there have not been any reports of public disclosure or exploitation in the wild.
More importantly this month, Microsoft introduced a new method to update Microsoft Exchange servers that now includes:
- Windows Installer patch file (.MSP), which works best for automated installations.
- Self-extracting, auto-elevating installer (.exe), which works best for manual installations.
This is an attempt to solve the problem of Exchange admins updating their server systems within a non-admin context, resulting in a bad server state. The new EXE format allows for command line installations and better installation logging. Microsoft has helpfully published the following EXE command line example:
"Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains"
Note, Microsoft recommends that you have the %Temp% environment variable before using the new EXE installation format. If you follow the new method of using the EXE to update Exchange, remember you will still have to (separately) deploy the monthly SSU update to ensure your servers are up to date. Add this update (or EXE) to your standard release schedule, ensuring that a full reboot is actioned when all updates are completed.
Microsoft development platforms
Microsoft has released five updates rated important and a single patch with a low rating. All these patches affect Visual Studio and the .NET framework. As you will be updating your Visual Studio instances to address these reported vulnerabilities, we recommend that you read the Visual Studio April update guide.
To find out more about the specific issues addressed from a security perspective, the May 2022 .NET update blog posting will be useful. Noting that .NET 5.0 has now reached end of support and before you upgrade to .NET 7, it may be worth checking on some of the compatibility or "breaking changes" that need to be addressed. Add these medium-risk updates to your standard update schedule.
Adobe (really just Reader)
I thought that we might be seeing a trend. No Adobe Reader updates for this month. That said, Adobe has released a number of updates to other products found here: APSB22-21. Let's see what happens in June — maybe we can retire both Adobe Reader and IE.