Microsoft’s December Patch Tuesday up to date delivers 59 fixes, together with two zero-days (CVE-2022-44698 and CVE-2022-44710) that require rapid consideration on the Windows platform. This is a community centered replace (TCP/IP and RDP) that can require important testing with an emphasis on ODBC connections, Hyper-V methods, Kerberos authentication, and printing (each native and distant).Microsoft additionally printed an pressing out-of-band replace (CVE-2022-37966) to handle severe Kerberos authentication points. (The crew at Readiness has supplied a useful infographic that outlines the dangers related to every of those updates.)And Windows Hot-Patching for Azure Virtual Machines (VMs) is now obtainable.Known pointsEach month, Microsoft features a record of recognized points that relate to the OS and platforms included on this replace cycle.
ODBC: After putting in the December replace, functions that use ODBC connections by Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to entry databases won’t join. You may obtain the next error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
RDP and Remote Access: After you put in this or later updates on Windows desktop methods, you could be unable to reconnect to (Microsoft) Direct Access after quickly dropping community connectivity or transitioning between Wi-Fi networks or entry factors.
Hyper-V: After putting in this replace on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you may obtain an error on workflows involving creating a brand new Network Adapter (additionally known as a Network Interface Card or NIC) joined to a VM community or a brand new Virtual Machine (VM).
Active Directory: Due to further safety necessities in addressing the safety vulnerabilities in CVE-2022-38042, new safety checks are applied on area internet be a part of requests. These further checks could generate the next error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the identical identify exists in Active Directory. Re-using the account was blocked by safety coverage.”
In preparation for the month’s replace to Windows 10 and 11 methods, we advocate runningan evaluation on all software packages and search for a dependency on the system file SQLSRV32.DLL. If you have to examine a selected system, open a command immediate and run the command “tasklist /m sqlsrv32.dll.” This ought to record any processes that rely on this file.Major revisionsMicrosoft printed only one revision this month, with no different revisions to earlier patches or updates launched.
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability: To handle a recognized difficulty the place Kerberos authentication may fail for person, pc, service, and GMSA accounts when serviced by Windows area controllers. This patch revision has been launched as a uncommon out-of-band replace and would require rapid consideration, if not already addressed.
Mitigations and workaroundsWhile there have been a number of documentation updates and FAQs added to this launch, Microsoft printed a single mitigation:
CVE-2022-37976: Active Directory Certificate Elevation of Privilege: A system is susceptible to this safety vulnerability provided that each the Active Directory Certificate Services position and the Active Directory Domain Services position are put in on the identical server within the community. Microsoft has printed a set of registry keys (LegacyAuthenticationLevel) that may assist cut back the floor space of this difficulty. You can discover out extra about defending your methods right here.
Testing steering Each month, the crew at Readiness analyzes the most recent updates and gives testing steering. This steering is predicated on assessing a big software portfolio and an in depth evaluation of the Microsoft patches and their potential affect on the Windows platforms and software installations. Given the big variety of modifications included this cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams.High Risk: This month, Microsoft has not recorded any high-risk performance modifications. This means it has not made main modifications to core APIs or performance to any of the core elements or functions included within the Windows desktop and server ecosystems.More typically, given the broad nature of this replace (Office and Windows) we advise testing the next Windows options and elements:
Bluetooth: Microsoft has up to date two units of key API/Header recordsdata for Bluetooth drivers together with: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL and DeviceIoControl operate. The key testing job right here is to allow after which disable Bluetooth, making certain that your knowledge connections are nonetheless working as anticipated.
GIT: The Git Virtual File System (VfSForGit) has been up to date with modifications to the file and registry mappings. You can learn extra about this key (inner) Windows improvement device right here.
In addition to those modifications and testing necessities, I’ve included a few of the harder testing eventualities for this replace:
Windows Kernel: This month sees a broad replace to the Windows kernel (Win32kfull.sys) that can have an effect on the first desktop UI expertise. Key options patched embrace the Start menu, the settings applet, and File Explorer. Given the large UI testing floor, a bigger testing group could also be required on your preliminary roll-out. If you continue to see your desktop or taskbar, take that as a optimistic signal.
Following final month’s replace to Kerberos authentication, there have been a number of reported points associated to authenticating, particularly throughout remote-desktop connections. Microsoft detailed the next eventualities and associated points addressed this month:
Domain person sign-in could fail. This additionally may have an effect on Active Directory Federation Services (AD FS) authentication.
Group Managed Service Accounts (gMSA) used for providers comparable to Internet Information Services (IIS Web Server) may fail to authenticate.
Remote Desktop connections utilizing area customers may fail to attach.
You could be unable to entry shared folders on workstations and file shares on servers.
Printing that requires area person authentication may fail.
All these eventualities require important testing earlier than a common deployment of the December replace.Unless in any other case specified, we must always now assume that every Patch Tuesday replace would require testing of core printing features together with:
printing from directly-connected printers.
add a printer, after which take away a printer (that is new for December).
massive print jobs from servers (particularly if they’re additionally area controllers).
distant printing (utilizing RDP and VPNs).
check bodily and digital eventualities with 32-bit apps on 64-bit machines.
Windows lifecycle replaceThis part consists of necessary modifications to servicing (and most safety updates) to Windows desktop and server platforms. As that is an end-of-year replace, there are fairly a number of “End of Service” modifications, together with:
Windows 10 (Enterprise, Home, Pro) 21H2 – Dec. 12, 2022.
Windows 8.1 – Jan. 10, 2023.
Windows 7 SP1 (ESU) – Jan. 10, 2023.
Windows Server 2008 SP2 (ESU) – Jan. 10, 2023.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange Server;
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
Adobe (retired???, perhaps subsequent 12 months),
BrowsersFollowing a welcome pattern of no vital updates to Microsoft’s browsers, this replace delivers simply three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated necessary. These updates have an effect on the Microsoft Chromium browser and will have marginal to low affect in your functions. Add these updates to your commonplace patch launch schedule.WindowsMicrosoft launched patches to the Windows ecosystem this month that handle three vital updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated necessary and two rated average. Unfortunately, this month now we have these two zero-days affecting Windows with stories of CVE-2022-44698 exploited within the wild and CVE-2022-44710 publicly disclosed. We have crafted particular testing suggestions, noting that there are reported points with Kerberos, Hyper-V and ODBC connections.Add this replace to your “Patch Now” launch schedule.Microsoft OfficeMicrosoft addressed two vital vulnerabilities in SharePoint Server (CVE-202244693 and CVE-2022-44690) which can be comparatively simple to use and don’t require person interplay. The remaining two vulnerabilities have an effect on Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are low-profile, low affect modifications. Unless you are internet hosting your individual SharePoint servers (oh, why?), add these Microsoft updates to your commonplace launch schedule.Microsoft Exchange ServerMicrosoft has not launched any updates, patches or safety mitigations for Microsoft Exchange Server. Phew!Microsoft improvement platformsMicrosoft addressed two vital vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Though each safety points are rated vital, they require native admin entry and are thought-about each tough and complicated to use. Mark Russinovich’s Sysmon additionally wants an replace with the elevation-of-privilege vulnerability CVE-2022-44704 and all supported variations of Visual Studio might be patched. Add these updates to your commonplace developer launch schedule.Adobe Reader (nonetheless right here, however not this month)Adobe has launched three class 3 (equal to Microsoft’s score of necessary) updates to Illustrator, Experience Manager and Campaign (Classic). No updates to Adobe Reader this month.
Copyright © 2022 IDG Communications, Inc.