Patch Tuesday update addresses 123 vulnerabilities, two critical zero-days

Traitov / Getty Photos

Microsoft's August Patch Tuesday launch addresses 123 safety points in Microsoft Home windows, Workplace, Change (it is again!) and Visible Studio — and sadly, now we have two zero-days with reviews of lively exploitation within the wild. Since that is a broad replace, it'll require planning and testing earlier than deployment.

The primary (CVE-2022-34713) happens within the Home windows diagnostic instruments and the second (CVE-2022-30134) impacts Microsoft Change. Mainly, the vacations are over and it is time to concentrate to Microsoft updates once more. We now have made "Patch Now" suggestions for Home windows, Change and Adobe for this month.

You can discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.

Key testing situations

Given the big variety of modifications included on this August patch cycle, I've damaged down the testing situations into excessive threat and customary threat teams:

Excessive Threat: These are prone to embrace performance modifications, might deprecate present performance and can possible require creating new testing plans:

• Service Stack Replace: There's a vital change to the Microsoft Servicing Stack (SSU). I've written a short explainer that particulars a number of the ways in which Microsoft "updates the replace course of" and the way its servicing stack has moved to a singular, mixed replace every Patch Tuesday. The modifications included for August would require reboot testing to gather/collate after which parse occasion viewer logs. Microsoft offered a helpful reference to Home windows Boot Supervisor occasion viewer recordsdata present inKB5016061.
• Internet Printing: Although there don't seem like any useful modifications, Microsoft has up to date how net paperwork (HTML and JPEG) are printed. Primary print testing is required right here. It would not seem like this replace will take down any servers, printer server or in any other case.

The next updates usually are not documented as useful modifications, however nonetheless require a full take a look at cycle:

• MicrosoftFAX: Like printing, we now have to check enterprise FAX providers with every Patch Tuesday replace. This month's replace is definitely fairly cool; it addresses a vulnerability injunctions, which I've not used for the reason that early 2000's. This is a touch: keep away from FAX drivers, and do not use junctions. They have been a cool approach to handle listing redirect necessities by means of the registry — and are positively not wanted in a contemporary desktop. 
• DirectComposition: This Home windows element permits for fast bitmapping and animations. There was an API replace this month that can require testing for internally developed purposes. I am unable to share the precise API modifications, however I recommend you scan your purposes (and subsequently take a look at) for any references forIDCompositionDevice3.
• Microsoft Workplace Updates: We suggest a basic "smoke" take a look at for all up to date Microsoft Workplace merchandise this month. Particularly for Outlook, we suggest testing with a Gmail account after which switching to a Microsoft account; take a look at sending invitations between accounts. This is applicable to all supported variations of Microsoft Workplace.

Given the modifications to the SSU,Home windows Boot Supervisor and updates to the Home windows kernel (WIN32KY.SYS) this month, it might be value taking a look at some Microsoft testing platforms such because the Microsoft Take a look at Authoring and Execution Framework (TAEF). You'll have to knowC++ orC# and you will want the Home windows Driver package (WDK). Noting that for every of those testing situations, a guide shut-down, reboot and restart is recommended, with a deal with Boot Supervisor entries within the occasion viewer logs.

Recognized points

Every month, Microsoft features a record of recognized points that relate to the working system and platforms which are included on this replace cycle. This month, there are some actually advanced modifications:

• The Safe Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading on techniques with the Unified Extensible Firmware Interface (UEFI). TheKB5012170 replace provides modules to the DBX in an try to handle a vulnerability that exists within the safe boot loader course of. Sadly, if BitLocker is enabled with thePCR7 binding, this replace might fail. To resolve this challenge, use the next command: "Handle-bde –Protectors –Disable C: -RebootCount 1." Then deploy the replace and reboot.
• After putting inKB4493509, units with some Asian language packs put in might obtain the error "0x800f0982 -PSFX_E_MATCHING_COMPONENT_NOT_FOUND". PSFX is a differential compression mode utilized in decreasing the dimensions of Microsoft updates. Microsoft has most likely printed essentially the most attention-grabbingreplace and deployment and packaging article ever to be included in the midst of a protracted technical article associated to packaging and updates. On condition that this challenge pertains to how Home windows installs feature-level parts, Microsoft recommends reinstalling any language packs. This normally solves the issue — although it isn't an official repair.
• After putting in this month's replace on Home windows 10 builds, IE mode tabs in Microsoft Edge may cease responding when a website shows amodal dialog field. Microsoft remains to be engaged on an official repair.

And for the newest launch of Home windows 11, it seems as if this month's replace might result in the utilityXPS Viewer behaving badly (utilizing rising processor and reminiscence sources) earlier than closing unexpectedly (i.e. badly). A reboot will resolve the problem till Microsoft posts a repair.

Main revisions

Although now we have fewer "new" patches launched this month, there are a variety of up to date and newly launched patches from earlier months:

• CVE-2022-26832: NET Framework Denial of Service Vulnerability. That is the fourth replace to this .NET safety repair. First launched in April, all subsequent revisions have associated to updating the merchandise which are affected by this patch. It seems that all variations of Home windows 10, Home windows Server 2016 and with this newest revision, Home windows 8 and Server 2012, are affected. When you're utilizing Home windows replace (and evenAutopatch), no additional motion is required.
• CVE-2022-30130: .NET Framework Denial of Service Vulnerability. This revision to Could's replace now contains protection for Home windows 8 and Server 2012. That is solely an informational replace — no additional motion required.
• ADV200011: Microsoft Steering for Addressing Safety Function Bypass in GRUB. This revision pertains to the Linux sub-system boot loader in Home windows. For extra data check withKB5012170 and the very informative weblog submit, "There's a gap within the boot."

Mitigations and workarounds

• CVE-2022-34715: Home windows Community File System Distant Code Execution Vulnerability. Microsoft has supplied a set of PowerShell mitigation instructions to scale back the severity of an assault by disabling NFSV4.1 :"PS C:Set-NfsServerConfiguration -EnableNFSV4 $false." Working this command would require a reboot of the goal system. Microsoft recommends patching these techniques as quickly as doable, even withNFSV4.1 disabled.
• CVE-2022-34691: Energetic Listing Area Providers Elevation of Privilege Vulnerability. Microsoft advises that this vulnerability is relevant if you're, in actual fact, truly workingEnergetic Listing Certificates Providers. If you're, it's essential to deploy the Microsoft Could 10 replace instantly and allow Audit occasions. Take your time planning and deploying this patch as it might put your server right into a particular compatibility mode. You possibly can learn extra right hereKB5014754. You've till Could 9, 2023 earlier than Microsoft closes this loophole.

Most likely crucial workaround this month pertains to Microsoft Outlook crashing and locking up instantly after start-up. Microsoft explains, "While you begin Outlook Desktop, it will get previous loading profile and processing, briefly opens, after which stops responding," Microsoft is at present engaged on the problem and we count on an replace quickly. Microsoft supplied the next workarounds:

1. Signal out and in Workplace.
2. Disable help diagnostics in Outlook with the next registry keys: softwarepoliciesmicrosoftoffice16.0outlookoptionsgeneraldisablesupportdiagnostics, Disabled worth =0
3. Manually set the e-mail handle to the id of the consumer that's seeing the problem within the registry path.

You'll find out extra about Microsoft Diagnostic settingsright here. This can be a little embarrassing for Microsoft as that is one other vital Workplace challenge following the latestUber receipt crashing challenge.

Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Home windows (each desktop and server);
• Microsoft Workplace;
• Microsoft Change;
• Microsoft Growth platforms (ASP.NET Core, .NET Core and Chakra Core);
• And Adobe (retired???, perhaps subsequent yr).

Browsers

Microsoft launched three updates to its Edge browser (CVE-2022-33636,CVE-2022-33649 andCVE-2022-35796). Following a pattern, none of those are rated as vital. There have been additionally 17 updates to the Chromium mission. Google has printed all these modifications in its replace log. For additional data, check with the Chromiumsafety replace web page. Together with these safety fixes, there have been a number of new options within the newest secure launch (103) which might be discovered right here. Add these low-profile updates to your customary patch launch schedule.

Home windows

Microsoft addressed 13 vital points and 43 points rated necessary this month. That is pretty broad replace that covers the next key Home windows options:

• Home windows Level-to-Level Tunneling Protocol together with RAS;
• Kernel Updates (Win32K.SYS);
• Home windows Safe Socket Tunneling Protocol (SSTP);
• Home windows Print Spooler Parts.

Along with this massive replace,CVE-2022-34713 (Microsoft Home windows Assist Diagnostic Device (MSDT) Distant Code Execution Vulnerability) has been reported as each publicly disclosed and exploited within the wild, making this a severe Home windows zero-day. This severe Home windows safety flaw is apath traversal flaw that attackers can exploit to repeat an executable to the Home windows Startup folder when a consumer opens a specially-crafted file by means of an e-mail shopper or downloaded from the online. In lighter information, you could find the newest Home windows 11 replace video right here. Add these vital Home windows updates to your "Patch Now" launch schedule.

Microsoft Workplace

Microsoft launched an out-of-band (OOB) patch (KB5002248) for Microsoft Workplace 2016 (each 32- and 64-bit) regarding VBA tasks and Microsoft Entry. This month's launch cycle delivers solely 4 updates, all rated necessary. Microsoft Excel, Outlook and some core Microsoft Workplace libraries are affected, with essentially the most severe resulting in distant code execution situations. Fortuitously, all of those safety points have official fixes from Microsoft and are all comparatively tough to take advantage of, significantly in a well-managed enterprise atmosphere. Add these low-profile updates to your customary launch schedule.

Microsoft Change Server

Sadly now we have six updates for Microsoft Change Server, with three rated vital and the remaining three rated necessary. As promised in Could, Microsoft has up to date its patching course of to incorporate self-extracting EXE's. You'll not discover these newest updates within the Microsoft catalog, so I've included an inventory of updates obtainable for the next particular builds of Change Server:

• Change Server 2013CU23
• Change Server 2016CU22 andCU23
• Change Server 2019CU11 andCU12

Given the publicly disclosed vulnerability in Microsoft Change (CVE-2022-30134) which permits an attacker to learn focused e-mail messages, Microsoft has advisable you apply these safety associated fixes instantly (italics added by Microsoft). To get the newest updates, you may additionally need to run the Change SetupAssist PowerShell script. 

Your group might already be comfy with the brand new replace format, however if you're unsure concerning the standing of your Change servers, you possibly can run the Microsoft CSSWell being Checker. My feeling is that some preparation and planning is required to stage these updates. It took me some time simply to stroll by means of the patching determination/logic bushes this month, by no means thoughtstroubleshooting failed Change updates. Add this month's updates to your "Patch Now" schedule, noting that each one updates this month would require a server reboot.

Microsoft growth platforms

Microsoft launched 5 updates rated as necessary for Visible Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is de facto robust to take advantage of and relies upon upon efficiently executing a technically difficult blind "exterior entity" injection (XXE) assault. The remaining Visible Studio vulnerabilities relate to distant code execution (RCE) situations exploited by means of an area e-mail shopper (requiring the consumer to open a specifically crafted file). Add these updates to your customary developer replace schedule.

Adobe (actually simply Reader)

Who would have thought it? We're again this August with three updates rated vital and 4 as necessary for Adobe Reader.APSB22-39 has been printed by Adobe however not included by Microsoft on this month's patch cycle. All seven reported vulnerabilities relate to reminiscence leak points and will result in a distant code execution situation (RCE), requiring instant consideration. Add these Adobe updates to your "Patch Now" schedule.