Microsoft delivers a solid, low-impact Patch Tuesday

Credit to Author: Greg Lambert| Date: Sat, 12 Mar 2022 05:10:00 -0800

March brings us a solid set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues requiring a “Patch Now” release schedule (though Microsoft Exchange will require some technical effort this month). We have published some testing guidelines, with a focus on printing, remote desktop over VPN connections, and server-based networking changes. We also recommend testing your Windows installer packages with a specific focus on roll-back and uninstall functionality.

You can find more information about the risk of deploying these Patch Tuesday updates with this useful infographic. And, if you are looking for more information on .NET updates, there is a great post from Microsoft that highlights this month’s changes.

There was at least one high-risk reported change to the Windows platform for March. We have included the following rough testing guidelines based on our analysis of the changed files and contents of this month’s Windows and Office updates:

If you have time, it may be worth testing UNC paths to DOS boxes (due to several changes to the networking and authentication stack). There’s also been an update to the FastFAT system driver and how End User Defined Characters (EUDC) are handled. Microsoft has now included deployment and reboot requirements for this March 2022 update in a single page.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this cycle. There is more than usual this time, so I’ve referenced a few key issues that relate to the latest builds from Microsoft, including:

There was an outstanding issue from January’s update cycle where the executable DWM.EXE crashes after installing KB5010386. This issue has now been resolved. If you are looking for more data on these types of reported issues, one great resource from Microsoft is the Health Center — specifically, you can find out about Windows 10 and Windows 11 known issues and their current status.

Though there is a much smaller list of patches for this patch cycle, Microsoft released several revisions to previous patches, including:

This month, Microsoft has not published any mitigations or workarounds for the Windows, Microsoft Office, browser or development platform updates and patches. There is an ongoing list of mitigations and updates related to known issues for Microsoft Exchange (they’re included in our Exchange-related section).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Following a trend set by Microsoft over the past few months, only the Chromium Edge browser has been updated. With no critical updates, and 21 reported vulnerabilities rated as important by Microsoft, this is another easy update cycle. Other than working through potential issues with the Brotli compression engine, you should be able to deploy the browser updates on your normal release schedule.

Following the trend of fewer (in number and in nature) updates this month, Microsoft released just two critical updates (CVE-2022-22006 and CVE-2022-24501). Neither update is likely to affect core platforms as each patches a singular video codec and a Microsoft Store component. The remaining 40 patches are all rated as important by Microsoft and update the following core Windows components:

You may want to add a Windows Installer test to your testing regime this month. Add these Windows updates to your standard release schedule.

If you were ever looking for a “low-risk” patch profile for Microsoft Office, this month’s updates are a very good candidate. Microsoft has released six patches to Office, all of which are rated as important. Most importantly, they either affect Skype (which is not so important) or the “Click to Run” (CTR) installation of Office. The CTR version is the virtualized, self-contained version of the Office install that is streamed down to the target system. By design, these installations have little to no effect on the operating system and given the nature of the changes made this month, there is very little deployment risk. Add these Office updates to your standard deployment schedule.

Finally, a critical vulnerability from Microsoft. No…, wait! Darn, it’s for Exchange. Microsoft Exchange is in the bad books this month with one of the few critical-rated vulnerabilities (CVE-2022-23277). Of the two Exchange-related patches for March, the other (CVE-2022-24463) is rated as important and could lead to a potential credential spoofing scenario. The critical issue is rated as highly likely to be exploited, but does require that the attacker is authenticated. This is not a “worm-able” vulnerability, so we recommend you add the Microsoft Exchange updates to your standard server deployment. This update will require a reboot to your servers. There have been several published issues with recent Microsoft Exchange updates, and so we have included a list of known issues when updating your Exchange Servers, including:

Microsoft has published a workaround for the “400 Bad Request” error. 

Microsoft released just four updates to its development platforms for March, all rated important. Two patches are for the .NET platform (CVE-2022-24512 and CVE-2022-24464), both of which require user interaction to deliver their payload, at worst resulting in an elevation-of-privilege attack. The Microsoft patch that may give you a headache was raised by Google in 2020 (hence it’s CVE identifier of CVE-2020-8927). This Patch Tuesday update to Brotli may affect how your web pages are compressed (notice I did not say “zipped”). Before you deploy this update, take a quick look at your internal web pages and browser-based applications using Brotli for adverse effects on decompressing CSS and JavaScript (hint, hint). Otherwise, add these updates to your standard patch schedule.

Just like last month, Adobe has not released any updates or patches to the Adobe Reader product lines. This is good news, and hopefully part of a larger trend. I’m hoping that Adobe Reader updates follow the same patch as Microsoft’s browser patches (ever decreasing numbers of critical updates), and then, as with the Microsoft Chromium browser, we see only a few security issues rated as important by both the community and Microsoft. Adobe has released a few patches to its Photoshop, After Effects and Illustrator products. However, these are product-focused updates and should not affect your general desktop/server patch roll-out schedules.

http://www.computerworld.com/category/security/index.rss