June’s Patch Tuesday updates, launched on June 14, tackle 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (although there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows part, CVE-2022-30190, led to a “Patch Now” advice for Windows, whereas the .NET, Office and SQL Server updates will be included in a regular launch schedule. You can discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.Key testing scenariosGiven the big variety of adjustments included on this June patch cycle I’ve damaged out the testing eventualities for prime threat and commonplace threat teams.These high-risk adjustments are prone to embody performance adjustments, could deprecate current capabilities, and can possible require new testing plans. Test your signed drivers utilizing bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):
Run purposes which have binaries (.EXE and .DLL) which might be signed and unsigned.
Run drivers which might be signed and unsigned. Unsigned drivers mustn’t load. Signed drivers ought to load.
Use SHA-1 signed versus SHA-2 signed drivers.
Each of those high-risk take a look at cycles should embody a handbook shut-down, reboot, and restart. The following adjustments should not documented as together with practical adjustments, however will nonetheless require at the very least “smoke testing” earlier than common deployment:
Test distant Credential Guard eventualities. (These exams would require Kerberos authentication, and will solely be used with the RDP protocol.)
Test your Hyper-V servers and begin/cease/resume your Virtual Machines (VM).
Perform shadow copy operations utilizing VSS-aware backup purposes in a distant VSS deployment over SMB.
Test deploy pattern purposes utilizing AADJ and Intune. Ensure that you just deploy and revoke entry as a part of your take a look at cycle.
In addition to those commonplace testing tips, we advocate that every one core purposes endure a testing regime that features self-repair, uninstall, and replace. This is because of the adjustments to Windows Installer (MSI) this month. Not sufficient IT departments take a look at the replace, restore, and uninstall capabilities of their software portfolio. It’s good to problem every software package deal as a part of the Quality Assurance (QA) course of that features the important thing software lifecycle levels of set up, activation, replace, restore, after which uninstall. Not testing these levels may go away IT techniques in an undesirable state — on the very least, it is going to be an unknown state.Known pointsEach month, Microsoft features a listing of recognized points that relate to the working system and platforms affected this cycle. This month, there are some complicated adjustments to think about, together with:
After putting in this June replace, Windows gadgets that use sure GPUs may trigger purposes to shut unexpectedly or trigger intermittent points. Microsoft has printed KB articles for Windows 11 (KB5013943) and Windows 10, model 21H2, all editions (KB5013942). No resolutions for these reported points but.
After putting in this month’s replace, some .NET Framework 3.5 apps might need points or fail to open. Microsoft stated you may mitigate this concern by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
As you could bear in mind, Microsoft printed an out-of-band replace (OOB) final month (on May 19). This replace affected the next core Windows Server based mostly networking options:The safety vulnerabilities addressed by this OOB replace solely impacts servers working as area controllers and software servers that authenticate to area controller servers. Desktop platforms should not affected. Due to this earlier patch, Microsoft has really useful that this June’s replace be put in on all intermediate or software servers that go authentication certificates from authenticated purchasers to the area controller (DC) first. Then set up this replace on all DC position computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key data part of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting solely after the June 14 replace has been put in on all intermediate or software servers and all DCs. Did you get that? I need to be aware with a sure sense of irony, that essentially the most detailed, order-specific set of directions that Microsoft has ever printed (ever), are buried deep, mid-way by a really lengthy technical article. I hope everyone seems to be paying consideration.Major revisionsThough we have now fewer “new” patches launched this month, there are loads of up to date and newly launched patches from earlier months, together with:
CVE-2021-26414: Windows DCOM Server Security Feature Bypass. After this month’s updates are put in, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers can be enabled by default. Customers who want to take action can nonetheless disable it by utilizing the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has printed KB5004442 to assist with the configuration adjustments required.

CVE-2022-23267: NET and Visual Studio Denial of Service Vulnerability. This is a minor replace to affected purposes (now affecting the MAC platform). No additional motion required.

CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This is a minor replace to the listing of affected purposes (now affecting the MAC platform). No additional motion required.

CVE-2022-24527: Microsoft Endpoint Configuration Manager Elevation of Privilege. This main replace to this patch is a little bit of a multitude. This patch was mistakenly allotted to the Windows safety replace group. Microsoft has eliminated this Endpoint supervisor from the Windows group and has offered the next choices to entry and set up this hot-fix:

Upgrade to Configuration Manager present department, model 2203 (Build 5.00.9078), which is on the market as an in-console replace. See Checklist for putting in replace 2203 for Configuration Manager for extra data.
Apply the hotfix. Customers operating Microsoft Endpoint Configuration Manager, variations 1910 by variations 2111 who should not capable of set up Configuration Manager Update 2203 (Build 5.00.9078) can obtain and set up hot-fix KB12819689.

CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This replace now contains protection for the next affected platforms: Windows 10 model 1607, Windows Server 2016, and Windows Server 2016 (Server Core set up). No additional motion required.

CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This patch is private — we had been affected by this concern with large server efficiency spikes. If you might be having issues with MSDT, you could learn the MSRC weblog put up, which incorporates detailed directions on updates and mitigations. To remedy our points, we needed to disable the MSDT URL protocol, which has its personal issues.
I believe that we are able to safely work by the Visual Studio updates, and the Endpoint Configuration Manager adjustments will take a while to implement, however each adjustments shouldn’t have vital testing profiles. DCOM adjustments are totally different — they’re powerful to check and usually require a enterprise proprietor to validate not simply the set up/instantiation of the DCOM objects, however the enterprise logic and the specified outcomes. Ensure that you’ve got a full listing of all purposes which have DCOM dependencies and run by a enterprise logic take a look at, or you will have some disagreeable surprises — with very difficult-to-debug troubleshooting eventualities.Mitigations and workaroundsFor this Patch Tuesday, Microsoft printed one key mitigation for a critical Windows vulnerability:
CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability. This is the primary time I’ve seen this, however for this mitigation, Microsoft strongly recommends you put in the May 2022 replace first. Once completed, you may cut back your assault floor space by disabling NFSV4.1 with the next PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this variation would require a restart of the goal server.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange;
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired???, possibly subsequent 12 months).
BrowsersWe are seeing a welcome pattern of fewer and fewer important updates to all the Microsoft browser portfolio. For this cycle, Microsoft has launched 5 updates to the Chromium model of Edge. They are all low threat to deploy and resolve the next reported vulnerabilities:A key issue on this downward pattern of browser associated safety points, is the decline and now retirement of Internet Explorer (IE). IE is formally now not supported as of this July. The way forward for Microsoft’s browsers is Edge, in response to Microsoft. Microsoft has offered us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your commonplace software launch schedule.WindowsWith 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the first focus — particularly given the low-risk, low-profile updates to Microsoft Browsers, Office, and growth platforms (.NET). The Windows updates cowl a broad base of performance, together with: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker parts. As talked about earlier, essentially the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment strategy, which is able to work nicely for this month’s updates, primarily because of the variety of core infrastructural adjustments that ought to be picked up in early testing. (Microsoft has printed one other video concerning the adjustments this month to the Windows 11 platform, discovered right here.)Microsoft has fastened the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite three important updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) results in a “Patch Now” advice. Microsoft OfficeMicrosoft launched seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core basis library), all of them rated necessary. The SharePoint server updates are comparatively low threat, however would require a server reboot. We had been initially fearful concerning the RCE vulnerability in Excel, however on assessment it seems that the “remote” in Remote Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; on condition that it requires person interplay and entry to a neighborhood goal system, it’s a much-reduced threat. Add these low-profile Office updates to your commonplace patch deployment schedule.Microsoft Exchange ServerWe have a SQL server replace this month, however no Microsoft Exchange Server updates for June. This is nice information.Microsoft growth platformsMicrosoft has launched a single, comparatively low-risk (CVE-2022-30184) replace to the .NET and Visual Studio platform. If you might be utilizing a Mac (I like the Mac model of Code), Microsoft recommends that you just replace to Mac Visual Studio 2022 (nonetheless in preview) as quickly as doable. As of July (sure, subsequent month) the Mac model of Visual Studio 2019 will now not be supported. And sure, dropping patch assist in the identical month as the following model is launched is tight. Add this single .NET replace to your commonplace growth patch launch schedule.Adobe (actually, simply Reader)There aren’t any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a safety bulletin for his or her different (non-Acrobat or PDF associated) purposes — all of that are rated on the lowest stage 3 by Adobe. There can be loads of work with printers within the coming weeks, so this can be a welcome aid.

Copyright © 2022 IDG Communications, Inc.