Though we get a reprieve from Exchange updates on this month’s Patch Tuesday replace, extra printer updates are on the way in which. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is again with 15 vital updates for Adobe Reader. And Microsoft’s new patch deployment instrument Auto-Patch is now stay. (I at all times thought software testing was the primary downside right here, however really getting patches deployed remains to be powerful.)Though the numbers are nonetheless fairly excessive (with 86+ reported vulnerabilities), the testing and deployment profile for July ought to be pretty average. We counsel taking the time to harden your Exchange Server defenses and mitigation processes, and put money into your testing processes.You can discover extra info on the danger of deploying these Patch Tuesday updates in our useful infographic .Key Testing ScenariosGiven the massive variety of modifications on this July patch cycle, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:High Risk: These modifications are prone to embrace performance modifications, might deprecate current performance, and can possible require creating new testing plans.Core printing performance has been up to date:
Install and check any new V4 print drivers on an area machine and print.
Test new V4 printer connections utilizing shopper and server and print.
Test current v4 printer connections
Ensure GDI rendering and printer drivers generate the anticipated output
The core modifications relate to how Microsoft helps timestamp checking for kernel drivers, so testing purposes that require digitally signed binaries is essential for this cycle. The huge change right here is that unsigned drivers mustn’t load. This might trigger some software points or compatibility issues. We advocate a scan of the applying portfolio, figuring out all purposes that rely upon drivers (each signed and unsigned), and producing a check plan that features set up, software exercising, and uninstall. Having a comparability between pre- and post- patched machines can be useful, too.The following modifications are usually not documented as together with useful modifications, however will nonetheless require no less than “smoke testing” earlier than normal deployment:
Test eventualities that make the most of Windows DevicePicker. Almost unattainable to check — as most purposes use this widespread class. If your internally-developed purposes move their fundamental smoke check, you are tremendous.
Test your line of enterprise purposes that reference the Microsoft cell CDP APIs. If you’ve got internally developed desktop purposes that talk with cell units, a communications examine could also be required.
Test connections to the rasl2tp server. This means discovering and testing purposes which have a dependency on the RAS miniport driver over distant or VPN connections
And Curl. Specifically, CURL.EXE: — a command line instrument for sending recordsdata by way of HTTP protocols (therefore “client URL”) — has been up to date this month. Curl for Windows (the one that’s being up to date this month) is completely different from the Open Source challenge curl. If you’re confused why the Curl challenge group affords this, here is the reply:”The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them. You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.”With that mentioned, we advocate groups that use the curl command (sourced from the Windows supported department) give their scripts a fast check run. Microsoft has printed a testing situation matrix that this month consists of:
Use bodily machines and digital machines.
Use BIOS-based machines and UEFI-enabled machines.
Use x86, ARM, ARM64, and AMD64 machines.
Note: for every of those testing eventualities, a guide shut-down, reboot and restart is usually recommended. Known IssuesEach month, Microsoft features a listing of recognized points that relate to the working system and platforms included on this replace cycle. For July, there are some complicated modifications to think about:
Devices with Windows installations created from customized offline media or customized ISO picture may need Microsoft Edge Legacy eliminated by this replace, however not robotically changed by the brand new Microsoft Edge.
After putting in the June 21, 2021 (KB5003690) replace, some units can’t set up new updates, such because the July 6, 2021 (KB5004945) or later updates. You will obtain the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For extra info and a workaround, see KB5005322.
After putting in this replace, IE mode tabs in Microsoft Edge may cease responding when a web site shows a modal dialog field. This situation is resolved utilizing Known Issue Rollback (KIR) with the next group coverage downloads: Download for Windows 10, model 20H2 and Windows 10, model 21H1 .
After putting in KB4493509, units with some Asian language packs put in might obtain the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
Major RevisionsThis month, Microsoft has not formally printed any main revisions or updates to earlier patches. There was a form of “sneaky” replace from the .NET group that basically ought to have been included within the formal Microsoft documentation replace course of. However, that replace was merely documented assist for later variations of Visual Studio.Mitigations and WorkaroundsMicrosoft printed one key mitigation for a Windows community vulnerability:
CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability. Noting that there are not any publicly reported exploits for this community vulnerability, Microsoft nonetheless acknowledges that some directors might select to disable NFSV3 earlier than their server programs are absolutely patched. To disable this community function, use the PowerShell command. ” Set-NfsServerConfiguration -EnableNFSV3 $false.” There is not any have to disable V4 (versus V3) because the later variations of this protocol are usually not affected by this safety vulnerability.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange;
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired???, perhaps subsequent 12 months).
BrowsersIt simply retains getting higher. The downward development for Microsoft’s browser reported vulnerability continues to trace ever decrease with simply two (CVE-2022-2294 and CVE-2022-2295) Chromium updates for this July. Both updates solely have an effect on Edge (Chromium) and had been launched final week. Chrome ought to robotically replace, with our preliminary evaluation exhibiting that each updates could have marginal influence on browser compatibility. You can examine this replace on the Google Blog, with the technical particulars discovered on Git. Add these low-profile, low-risk updates to your normal browser launch schedule.WindowsWith simply 4 vital updates and 16 rated necessary this month, Microsoft is basically giving IT admins a little bit of a break. The 4 vital Windows replace for this launch cycle embrace:
CVE-2022-30221: This Windows vulnerability within the core graphics sub-system (GDI) may result in a distant code execution (RCE) situation.
CVE-2022-22029 and CVE-2022-22039: These Windows Network file system points may lead to RCE eventualities on the compromised system.
CVE-2022-22038: This low-level (Win32) RPC element, reported as tough to take advantage of, may result in very tough troubleshooting eventualities.
All of those vital updates have been formally confirmed as fastened, with no stories of public exploits on Windows desktop programs. The remaining 14 updates are rated necessary by Microsoft and have an effect on the next Windows programs and parts:Unfortunately, Windows Server 2012 didn’t fare so properly, with stories of CVE-2022-22047 exploited within the wild. This Windows server vulnerability impacts the Client Server Run-Time subsystem (CRSS) which is the place all of the badly behaving consumer mode drivers hang around. If you’ve got any Windows Server 2012 underneath your care, it is a “Patch Now” replace. Otherwise, add this very low-profile Windows replace to your normal launch schedule. And remember, Microsoft has delivered one other Windows 11 replace video; it is discovered right here .Microsoft OfficeMicrosoft launched solely two (CVE-2022-33632 and CVE-2022-33633) updates to Microsoft Office this month. Both updates are rated necessary by Microsoft, and each require native, authenticated privileges to the goal system. Add these updates to your normal Office replace schedule.Microsoft Exchange ServerIt’s good that we get a break from Microsoft Exchange Server updates. Rather than merely resting, it might be value investing in your Exchange safety infrastructure. Microsoft has offered some main enhancements on Exchange in the course of the previous 12 months; listed below are a number of concepts on securing your Exchange Server:
Microsoft Safety Scanner: This command line instrument is downloaded from Microsoft (have to be refreshed each 10 days) and removes malware out of your goal system. It’s not a alternative for third-party instruments, but when there’s a concern a few machine, it is a good first step.
Exchange On-premises Mitigation Tool (EOMT): If you’re unable to rapidly patch particular Exchange Servers, Microsoft affords a command line to mitigate towards recognized assaults. This PowerShell script will each try to remediate in addition to mitigate your servers towards additional assaults — noting that after completed, making use of patches is the highest precedence.
Exchange Emergency Mitigation Service (EM): The Exchange Emergency Mitigation service (EM service) retains your Exchange Servers safe by making use of mitigations/updates/fixes to handle any potential threats towards your servers. It makes use of the cloud-based Office Config Service (OCS) to examine for and obtain out there mitigations and can ship diagnostic information again to Microsoft.
All of those options and choices are predicated on utilizing no less than Office 2019 — another excuse Microsoft has strongly really helpful everybody transfer to Exchange Server 2019 no less than. The EM Service was final utilized in March 2021 to cope with a number of Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858). These had been particular assaults on on-premise servers. It’s useful to know this service is there, however I’m glad it has not been required lately.Microsoft Development PlatformsAs with Microsoft Exchange, Microsoft has not printed any “new” safety updates to the Microsoft .NET platform or instruments this month. However, there was an issue with June’s .NET replace, which was addressed this month. This month’s .NET launch resolves the difficulty that some variations of .NET weren’t addressed by the earlier patch — that is simply an informational replace. If you’re utilizing Microsoft Windows replace infrastructure, no additional motion is required.Adobe (actually simply Reader)This is a giant replace from Adobe, with 15 updates rated as vital and 7 rated necessary, all only for Adobe Reader. The vital updates primarily relate to reminiscence points and will result in the train of arbitrary code on the unpatched system. You can learn extra concerning the Adobe bulletin (APSB22-32) and Adobe safety bulletins right here. Add this software particular replace to your “Patch Now” launch.
Copyright © 2022 IDG Communications, Inc.