This previous week’s Patch Tuesday began with 73 updates, however ended up (to date) with three revisions and a late addition (CVE-2022-30138) for a complete of 77 vulnerabilities addressed this month. Compared with the broad set of updates launched in April, we see a better urgency in patching Windows — particularly wiith three zero-days and several other very critical flaws in key server and authentication areas. Exchange would require consideration, too, because of new server replace know-how. There had been no updates this month for Microsoft browsers and Adobe Reader. And Windows 10 20H2 (we hardly knew ye) is now out of assist.You can discover extra data on the dangers of deploying these Patch Tuesday updates on this useful infographic, and the MSRC Center has posted overview of the way it handles safety updates right here.Key testing eventualitiesGiven the big variety of modifications included with this May patch cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:High Risk: These modifications are more likely to embody performance modifications, could deprecate present capabilities and can probably require creating new testing plans:
Test your enterprise CA certificates (each new and renewed). Your area server KDC will mechanically validate the brand new extensions included on this replace. Look for failed validations!
This replace features a change to driver signatures that now embody timestamp checking in addition to authenticode signatures. Signed drivers ought to load. Unsigned drivers shouldn’t. Check your software take a look at runs for failed driver masses. Include checks for signed EXEs and DLLs too.
The following modifications aren’t documented as together with useful modifications, however will nonetheless require a minimum of “smoke testing” earlier than basic deployment of May’s patches:
Test your VPN shoppers when utilizing RRAS servers: embody join, disconnect (utilizing all protocols: PPP/PPTP/SSTP/IKEv2).
Test that your EMF information open as anticipated.
Test your Windows Address Book (WAB) software dependencies.
Test BitLocker: begin/cease your machines with BitLocker enabled after which disabled.
Validate that your credentials are accessible by way of VPN (see Microsoft Credential Manager).
Test your V4 printer drivers (particularly with the later arrival of CVE-2022-30138). 
This month’s testing would require a number of reboots to your testing sources and will embody each (BIOS/UEFI) digital and bodily machines.Known pointsMicrosoft features a record of recognized points that affectthe working system and platforms included on this replace cycle:
After putting in this month’s replace, Windows units that use sure GPUs would possibly trigger apps to shut unexpectedly, or generate an exception code (0xc0000094 in module d3d9on12.dll) in apps utilizing Direct3D Version 9. Microsoft has revealed a KIR group coverage replace to resolve this difficulty with the next GPO settings: Download for Windows 10, model 2004, Windows 10, model 20H2, Windows 10, model 21H1, and Windows 10, model 21H2.
After putting in updates launched Jan. 11, 2022 or later, apps that use the Microsoft .NET Framework to accumulate or set Active Directory Forest Trust Information would possibly fail or generate an entry violation (0xc0000005) error. It seems that functions that depend upon the System.DirectoryCompanies API are affected.
Microsoft has actually upped its recreation when discussing current fixes and updates for this launch with a helpful replace highlights video.Major revisionsThough there’s a a lot lowered record of patches this month in comparison with April, Microsoft has launched three revisions together with:
CVE-2022-1096: Chromium: CVE-2022-1096 Type Confusion in V8. This March patch has been up to date to incorporate assist for the newest model of Visual Studio (2022) to permit for the up to date rendering of webview2 content material. No additional motion is required.
CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This April patch has been up to date to incorporate ALL supported variations of Visual Studio (15.9 to 17.1). Unfortunately, this replace could require some software testing to your improvement crew, because it impacts how webview2 content material is rendered.
CVE-2022-30138: Windows Print Spooler Elevation of Privilege Vulnerability. This is an informational change solely. No additional motion is required.
Mitigations and workaroundsFor May, Microsoft has revealed one key mitigation for a critical Windows community file system vulnerability:
CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability. You can mitigate an assault by disabling NFSV2 and NFSV3. The following PowerShell command will disable these variations: “PS C:Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $false.” Once carried out. you will want to restart your NFS server (or ideally reboot the machine). And to substantiate that the NFS server has been up to date accurately, use the PowerShell command “PS C:Get-NfsServerConfiguration.”
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings: 
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange;
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired???, perhaps subsequent yr).
BrowsersMicrosoft has not launched any updates to both its legacy (IE) or Chromium (Edge) browsers this month. We are seeing a downward pattern of the variety of vital points which have plagued Microsoft for the previous decade. My feeling is that shifting to the Chromium challenge has been a particular “super plus-plus win-win” for each the event crew and customers. Speaking of legacy browsers, we have to put together for the retirement of IE coming in the midst of June. By “prepare” I imply have fun — after, after all, we now have ensured that legacy apps wouldn’t have specific dependencies on the previous IE rendering engine. Please add “Celebrate the retirement of IE” to your browser deployment schedule. Your customers will perceive.WindowsThe Windows platform receives six vital updates this month and 56 patches rated necessary. Unfortunately, we now have three zero-day exploits, too:
CVE-2022-22713: This publicly disclosed vulnerability in Microsoft’s Hyper-V virtualization platform would require an attacker to efficiently exploit an inside race situation to result in a possible denial-of-service situation. It’s a critical vulnerability, however requires chaining a number of vulnerabilities to succeed.
CVE-2022-26925: Both publicly disclosed and reported as exploited within the wild, this LSA authentication difficulty is an actual concern. It shall be simple to patch, however the testing profile is massive, making it a troublesome one to deploy rapidly. In addition to testing your area authentication, make sure that backups (and restore) capabilities are working as anticipated. We extremely advocate checking the newest Microsoft assist notes on this ongoing difficulty.
CVE-2022-29972: This publicly-disclosed vulnerability within the Redshift ODBC driver is fairly particular to Synapse functions. But when you have publicity to any of the Azure Synapse RBAC roles, deploying this replace is a prime precedence.
In addition to those zero-day points, there are three different points that require your consideration:
CVE-2022-26923: this vulnerability in Active Directory authentication just isn’t fairly “wormable” however is really easy to take advantage of, I might not be shocked to see it actively attacked quickly. Once compromised, this vulnerability will present entry to your total area. The stakes are excessive with this one.
CVE-2022-26937: This Network File System bug has a ranking of 9.8 – one of many highest reported this yr. NFS just isn’t enabled by default, however when you have Linux or Unix in your community, you might be probably utilizing it. Patch this difficulty, however we additionally advocate upgrading to NFSv4.1 as quickly as attainable.
CVE-2022-30138: This patch was launched post-Patch Tuesday. This print spooler difficulty solely impacts older methods (Windows 8 and Server 2012) however would require important testing earlier than deployment. It’s not a brilliant vital safety difficulty, however the potential for printer-based points is massive. Take your time earlier than deploying this one.
Given the variety of critical exploits and the three zero-days in May, add this month’s Windows replace to your “Patch Now” schedule.Microsoft OfficeMicrosoft launched simply 4 updates for the Microsoft Office platform (Excel, SharePoint) all of that are rated necessary. All these updates are tough to take advantage of (requiring each consumer interplay and native entry to the goal system) and solely have an effect on 32-bit platforms. Add these low-profile, low-risk Office updates to your commonplace launch schedule.Microsoft Exchange ServerMicrosoft launched a single replace to Exchange Server (CVE-2022-21978) that’s rated necessary and seems fairly tough to take advantage of. This elevation-of-privilege vulnerability requires totally authenticated entry to the server, and to date there haven’t been any studies of public disclosure or exploitation within the wild.More importantly this month, Microsoft launched a brand new methodology to replace Microsoft Exchange servers that now consists of:
Windows Installer patch file (.MSP), which works finest for automated installations.
Self-extracting, auto-elevating installer (.exe), which works finest for guide installations.
This is an try to unravel the issue of Exchange admins updating their server methods inside a non-admin context, leading to a foul server state. The new EXE format permits for command line installations and higher set up logging. Microsoft has helpfully revealed the next EXE command line instance:”Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains”Note, Microsoft recommends that you’ve got the %Temp% atmosphere variable earlier than utilizing the brand new EXE set up format. If you observe the brand new methodology of utilizing the EXE to replace Exchange, keep in mind you’ll nonetheless need to (individually) deploy the month-to-month SSU replace to make sure your servers are updated. Add this replace (or EXE) to your commonplace launch schedule, guaranteeing {that a} full reboot is actioned when all updates are accomplished.Microsoft improvement platformsMicrosoft has launched 5 updates rated necessary and a single patch with a low ranking. All these patches have an effect on Visual Studio and the .NET framework. As you can be updating your Visual Studio cases to handle these reported vulnerabilities, we advocate that you simply learn the Visual Studio April replace information. To discover out extra concerning the particular points addressed from a safety perspective, the May 2022 .NET replace weblog posting shall be helpful. Noting that .NET 5.0 has now reached finish of assist and earlier than you improve to .NET 7, it might be value checking on a number of the compatibility or “breaking changes” that have to be addressed. Add these medium-risk updates to your commonplace replace schedule.Adobe (actually simply Reader)I assumed that we may be seeing a pattern. No Adobe Reader updates for this month. That mentioned, Adobe has launched various updates to different merchandise discovered right here: APSB22-21. Let’s see what occurs in June — perhaps we are able to retire each Adobe Reader and IE.

Copyright © 2022 IDG Communications, Inc.