This week’s Patch Tuesday was an uncommon replace from Microsoft and we have now added Windows, the Microsoft growth platform, and Adobe Reader to our “Patch Now” schedule. These updates are pushed by the zero-day patch (CVE-2021-40444) to the core Microsoft browser library MSHTML. In addition to resulting in important distant code execution worries, this replace may result in surprising behaviours in legacy purposes that rely on or embody this browser part. Be certain to evaluate your portfolio for key apps which have these dependencies and carry out a full performance take a look at earlier than deployment. (We have recognized some key mitigation methods for dealing with ActiveX controls and for shielding your system throughout your testing and deployment phases.)You may discover extra details about the dangers of deploying these Patch Tuesday patchesin this infographic.Key testing eventualitiesThere are not any reported high-risk modifications to the Windows platform this month. However, there’s one reported useful change and an extra characteristic:As at all times, affirm that printing performs as anticipated with each bodily and digital printers. Verify there are not any points with printer drivers and test for printer driver software program nonetheless utilizing 32-bit code for software administration.
Verify Event Tracing for Windows is working as anticipated; logs are exhibiting up in Event Viewer.
Confirm that connections leveraging Remote Desktop Gateway and Virtual Private Networks (VPNs) work as anticipated.
Test SCCRUN objects like Scripting.FileSystemObject, textStream, Scripting.Dictionary. See this Microsoft doc and Dictionary object | Microsoft Docs for added info.
Confirm that customers with permissions can entry recordsdata on SMB shares. Verify that accessing recordsdata utilizing the Create / Copy / Delete / Read / Write / Rename / Close features as anticipated.
Testing your legacy apps and printing can be a key job when managing this September’s replace (and for the foreseeable future). Looking for printer driver software program nonetheless utilizing 32-bit code for app administration is essential to keep away from “thunking.” This space of concern pertains to how reminiscence is dealt with between 32-bit and 64-bit purposes. If you’re on the lookout for a situation the place all the things breaks, at unpredictable instances, and impacts core methods, attempt discovering an growing old printer driver with outdated printer administration software program. Actually, it is extra seemingly the outcomes will discover you.Though we frequently deal with printing and legacy apps, distant working has seen an enormous improve through the pandemic. We supply the next VPN-specific testing suggestions this month:Verify that Windows Updates reliably set up over VPN and non-VPN connections and that the updates set up efficiently.
Check that your anti-virus works as anticipated over your VPN connection.
Ensure the flexibility to amass a DHCP tackle and community connectivity over wired and wi-fi community connections with and with out 802.1x.
Known pointsEach month, Microsoft features a listing of recognized points that relate to the working system and platforms within the newest replace cycle. I’ve referenced just a few key points that relate to the newest builds from Microsoft, together with:This month, all Windows 10 updates embody a repair that addresses a difficulty that causes PowerShell to create an infinite variety of baby directories. This concern happens if you use the PowerShell Move-Item command to maneuver a listing to one among its kids. As a consequence, the amount fills up and the system stops responding.
Major revisionsAt the time of writing (for the July replace cycle), there have been 4 main updates to beforehand launched updates:CVE-2021-1678: Windows Print Spooler Spoofing Vulnerability.
CVE-2021-36958: Windows Print Spooler Remote Code Execution Vulnerability.
CVE-2021-40444: Microsoft MSHTML Remote Code Execution Vulnerability.
Mitigations and workaroundsThis month, Microsoft revealed a work-around for the MSHTML replace. The firm (not for the primary time) recommends disabling Active X. We suggest disabling ActiveX as a normal rule and utilizing Group Policy on your managed platforms. Here are some easy steps to make sure that ActiveX is disabled:Select the Zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
Double-click Download signed ActiveX controls and Enable the coverage. Then set the choice within the coverage to Disable.
Double-click Download unsigned ActiveX controls and Enable the coverage. Then set the choice within the coverage to Disable.
You may specify particular registry keys and part IDs for particular person apps (e.g. Microsoft Word) —discover out extra right here. Microsoft additionally recommends that you simply place paperwork opened in “Protected View” and use the Office model of Application Guard. And if in case you have gone for a full Microsoft stack and have deployed Defender, you should use assault floor discount guidelines to cut back the specter of publicity to this severe safety concern.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired? Not but).
BrowsersMicrosoft launched 26 updates for the Chromium-based Edge browser this month. In addition to those patches, the Chromium challenge additionally launched 11 safety associated updates this September (Chrome Release Notes). Though the browser wars have ended, and now Microsoft is utilizing Open Source, the one fixed sort of safety concern is the “Use After Free” reminiscence (aka Dangling Pointer) allocation errors. These reminiscence allocation courses of errors are nonetheless the commonest and this month’s replace (have a learn of CVE-2021-30610) is an efficient instance of the continued battle to remain forward of the dangerous guys. The proposed modifications to Edge could have minimal or no affect on enterprise methods this month. Add these updates to your customary desktop replace schedule.WindowsMicrosoft has launched 35 updates to the Windows platform with two rated as essential (CVE-2021-36965 and CVE-2021-26435) for this cycle. Though this isn’t the most important replace we have seen for some time, this launch impacts numerous key platform areas: networking, kernel drivers, Windows Installer, key graphic elements (GDI), and a few key diagnostic instruments (Windows Error Reporting). However, the actual concern this month for testing and deployment groups is what’s been re-released: CVE-2021-40444. It was launched earlier this month and has seen two updates since its preliminary publishing. The MSHTML concern is an actual concern because it pertains to a core browser part generally utilized in numerous purposes. It’s like having Internet Explorer embedded in your core line of enterprise software (yeah, I do know). You actually are not looking for this part in your growth portfolio and you have to to seek out out which purposes rely on it shortly. We ran a fast scan of our frequent purposes that make use of the MSHTML library and located that between 5-10% of “legacy applications” (purposes older than 5 years) had a direct dependency on MSHTML. These purposes would require in-depth testing and are seemingly areas of concern for any enterprise. Unfortunately, we have now so as to add these Windows updates to our “Patch Now” schedule for this month.Microsoft OfficeMicrosoft has launched 12 updates to its Office platform this month, all of them rated essential. (Correct, no essential updates for Office, Exchange or SharePoint this patch cycle.) Word, Excel, Visio, and the shared Microsoft Office libraries (e.g. MSO and shared code frequent to all Microsoft Office elements) are affected this month. None of the reported safety points embody “preview pane” or different extremely weak assault vectors. Add these September Microsoft updates to your customary launch schedule.Microsoft Exchange ServerWe are within the lucky place this September of not having to deploy pressing updates to Microsoft Exchange Server. That mentioned, there are two updates to SharePoint Server (CVE-2021-38651, CVE-2021-38652) that can require consideration. Both require a reboot to the server. So even with a decreased stage of urgency, we’re all nonetheless rebooting our Office servers this month. No additional motion required for Exchange Server associated updates.Microsoft growth platformsMicrosoft has launched three updates to the Visual Studio platform (CVE-2021-36952, CVE-2021-26437, CVE-2021-26434) all rated as essential. Usually, we take a look at these updates and advise including them to a typical launch schedule. But we expect CVE-2021-36952 and CVE-2021-26434 require a fast response on account of their potential distant code execution (RCE) and elevation-of-privilege eventualities. I wish to say that RCE points are at this time’s points. Elevations of privilege (EOP) issues are this afternoon’s issues. Add this Microsoft developer replace to your “Patch Now” schedule. And, sure we have now not made this suggestion for at the least two years.Adobe (actually simply Reader)This part was beforehand set as much as deal with the quite a few (and generally painful) updates to Adobe Flash over time. With the latest (and hopefully last) replace that features the kill-bits for Flash and Shockwave, our pondering is that we should always retire this part. However, Adobe Reader is a core part of most enterprise desktops and is prone to proceed because the default PDF reader for just a few extra years. So reasonably than deal with all Adobe merchandise we’ll cope with safety associated points with PDFs (particularly printing) and Adobe Reader. And as luck would have it, we have now an abundance of Adobe updates for September (I’m saving “cornucopia” for October), with a selected deal with Acrobat. Adobe has launched 26 updates with seven rated essential as they relate to reminiscence points that might result in distant code execution (RCE) eventualities. There are some severe points with these reported vulnerabilities, although all require person interplay and no reviews of public disclosure or exploitation. Add these Adobe Reader updates to your “Patch Now” replace launch cycle. And, sure that is the primary time that we have now made this suggestion.
Copyright © 2021 IDG Communications, Inc.