This month’s Patch Tuesday replace is necessary for a number of causes. With 67 distinctive vulnerabilities addressed, six publicly-reported points and one already exploited, this month’s updates nonetheless pale compared to coping with the Log4j challenge. (Fortunately, there are not any browser or Microsoft Exchange updates and minimal adjustments to Microsoft Office.)We have added the Windows updates and Visual Studio updates to our “Patch Now” launch cycle suggestions, whereas Office updates are relegated to a standard launch cadence. You can discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.Key testing eventualitiesThere are not any reported high-risk adjustments to the Windows platform this month. However, there may be one reported practical change, and an extra characteristic. Here are our high-level testing suggestions:Test native printing. Test distant printing and take a look at printing over RDP.
Test studying or processing ETL recordsdata and huge WMF recordsdata.
Test new and present VPN connections. Include a take a look at of site-to-site VPN.
Test NTFS brief title eventualities and huge file transfers.
Known pointsEach month, Microsoft features a listing of recognized points that relate to the working system and platforms included on this replace cycle. I’ve referenced just a few key points that relate to the most recent builds, together with:After putting in updates launched April 22, 2021 or later, a difficulty happens that impacts variations of Windows Server used as a Key Management Services (KMS) host. Client units operating Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 may fail to activate. These points is not going to have an effect on Windows activation. Microsoft is at present investigating the issue.
After putting in this replace, when connecting to units in an untrusted area utilizing Remote Desktop, connections may fail to authenticate when utilizing good card authentication. This challenge is resolved utilizing Known Issue Rollback (KIR), which will be applied with the next Group Policy set up recordsdata:
One of the perfect methods to see if there are recognized points that would have an effect on your goal platform is to take a look at the various configuration choices for downloading patch knowledge on the Microsoft Security Update steering or the abstract web page for this month’s safety replace.Major revisionsMicrosoft launched 4 updates for informational causes (documentation and FAQ updates) together with: CVE-2021-43236, CVE-2021-43883, CVE-2021-43893, CVE-2021-43905. In addition, Microsoft launched a number of main updates to earlier patches, together with:CVE-2019-0887, CVE-2020-0655 and CVE-2021-1669: These distant desktop service RCE updates obtained a significant revision discover attributable to an up to date affected system desk. Windows 11 is affected by these safety points and this patch applies accordingly.
CVE-2021-24084: The scope of affected programs has been up to date to all supported Windows programs.
Due to the bigger scope of those patches, it’s possible you’ll not have downloaded and utilized them in November. This month, all 4 updates might be included within the patch cycle (although their dates might mirror a November launch date).Mitigations and workaroundsThis month, there’s a single reported vulnerability that features each mitigation and documented workarounds:CVE-2021-43890: Microsoft has printed an in depth set of workarounds for this AppX spoofing vulnerability. Using the GPO insurance policies BlockNonAdminUserInstall and AllowAllTrustedAppToInstall, it’s potential to cut back the floor space for side-loading assaults on the AppX installer. Microsoft has printed an in depth how-to doc on setting GPO insurance policies for AppX (and now MSIX).
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange;
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
And Adobe. (Retired? Maybe subsequent 12 months.)
BrowsersThis month, the Chromium undertaking launched 16 updates for the Microsoft Edge browser. We are actually seeing a development right here, with no updates to Microsoft’s legacy browsers. These updates are very probably a part of an auto-update course of on your desktop atmosphere, as these updates is not going to be deployed through Microsoft Update. You can discover out extra within the Chrome Release weblog and safety particulars on the Chrome Security Page. Given the character of Edge (not utterly built-in into the OS), there are only a few anticipated compatibility or integration errors anticipated with this launch. Add these Chrome updates to your common replace launch schedule.WindowsDecember brings a average replace to Windows with 36 updates; three are rated important by Microsoft and the remaining 33 as necessary. Normally, we’d give attention to the important patches. But this month it is extra applicable to give attention to publicly disclosed and exploited vulnerabilities, together with:This month we now have “only” one vulnerability reported as exploited within the wild, with a side-loading spoof assault on the Microsoft AppX installer part (CVE-2021-43890). Fortunately, this can be a advanced assault that requires consumer intervention and Microsoft has confirmed an official repair for this challenge. Given the give attention to updates to core system parts (NTFS, Installer, and printing) we now have included some testing suggestions:Perform exams on server and desktop ship/obtain heavy visitors. Focus on singular, very massive recordsdata.
Test your .WMF recordsdata (because of the codec replace) and any graphically intensive D3D functions.
Test numerous community visitors circumstances, notably with massive knowledge transfers — particularly SMB, encrypted file programs, and distant shares.
Install, replace, and uninstall your core functions in a take a look at atmosphere. Ensure that each one uninstalls are clear.
Test your printing, particularly distant printing, and printing over RDP.
All functions that utilise TLS/SSL ought to bear a fundamental “smoke test.”
And about that Log4j challenge? Patching the OS just isn’t sufficient to guard your atmosphere. We extremely advocate a right away scan of your software portfolio for JAVA dependencies and references to Log4j parts. This week’s information of Log4j points is only the start. Expect massive scale, industrialized assaults over the Christmas interval and into the New Year. It’s going to be dangerous. It’s going to be messy. Add these Windows updates to your “Patch Now” schedule and get to work on lowering your software assault floor.Microsoft OfficeMicrosoft launched 9 patches for Office, all rated necessary. All variations of SharePoint and Access are affected, as are variations 2016 and 2019 of Word. There are not any preview pane assault vectors this month, and all the reported vulnerabilities require consumer interplay. Add these Microsoft Office updates to your common patch launch schedule.Microsoft Exchange ServerThe Log4j challenge often is the coal in your stocking, however Microsoft has gifted us a reprieve from any Microsoft Exchange updates this month. So you possibly can pay extra consideration to different issues, like Christmas. Or Log4j. You select.Microsoft Development PlatformsMicrosoft printed seven updates to its improvement platforms this month (one important and the remaining rated as necessary) that have an effect on Visual Studio, PowerShell, and the ASP.NET/.NET framework. The single important rated patch (CVE-2021-43907) pertains to the favored WSL extension; if unpatched, it might result in a remote-code execution situation. It’s a reasonably critical challenge that can have an effect on all WSL customers. Unfortunately, the testing profile might be fairly massive with testing necessities for the .NET COM server and REGEX expressions. We recommend that you just add this Visual Studio replace to your “Patch Now” schedule and in addition reference the extra (and separate) .NET associated updates printed on the Microsoft Dev weblog.Adobe (actually simply Reader)This month, Microsoft did no launch any replace to Adobe Reader. I hold considering that I can retire this part, however we hold getting periodic updates from Adobe or important printing updates for PDF recordsdata. Let’s see what occurs in 2022.And, in the event you bought this far…Because of minimal operations in the course of the holidays and the upcoming new 12 months break, Microsoft is not going to launch a preview launch (often known as a “C” launch) for December. Normal month-to-month servicing for each Microsoft B and C releases will resume in January. Windows 10, model 2004 has reached finish of servicing as of this launch. Next month we’re more likely to see an replace to the TLS protocol for Windows Server 2008 with assist for TLS 1.2.
Copyright © 2021 IDG Communications, Inc.