With a light July Patch Tuesday, it's time to invest in your IT processes
Credit to Author: Greg Lambert| Date: Fri, 15 Jul 2022 12:04:00 -0700
Though we get a reprieve from Exchange updates in this month’s Patch Tuesday update, more printer updates are on the way. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is back with 15 critical updates for Adobe Reader. And Microsoft’s new patch deployment tool Auto-Patch is now live. (I always thought application testing was the main problem here, but actually getting patches deployed is still tough.)
Though the numbers are still quite high (with 86+ reported vulnerabilities), the testing and deployment profile for July should be fairly moderate. We suggest taking the time to harden your Exchange Server defenses and mitigation processes, and invest in your testing processes.
You can find more information on the risk of deploying these Patch Tuesday updates in our helpful infographic .
Given the large number of changes in this July patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups:
High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require creating new testing plans.
Core printing functionality has been updated:
The core changes relate to how Microsoft supports timestamp checking for kernel drivers, so testing applications that require digitally signed binaries is key for this cycle. The big change here is that unsigned drivers should not load. This may cause some application issues or compatibility problems. We recommend a scan of the application portfolio, identifying all applications that depend upon drivers (both signed and unsigned), and generating a test plan that includes installation, application exercising, and uninstall. Having a comparison between pre- and post- patched machines would be helpful, too.
The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:
And Curl. Specifically, CURL.EXE: — a command line tool for sending files via HTTP protocols (hence “client URL”) — has been updated this month. Curl for Windows (the one that is being updated this month) is different from the Open Source project curl. If you are confused why the Curl project team offers this, here’s the answer:
“The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them. You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.”
With that said, we recommend teams that use the curl command (sourced from the Windows supported branch) give their scripts a quick test run. Microsoft has published a testing scenario matrix that this month includes:
Note: for each of these testing scenarios, a manual shut-down, reboot and restart is suggested.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. For July, there are some complex changes to consider:
This month, Microsoft has not formally published any major revisions or updates to previous patches. There was a kind of “sneaky” update from the .NET group that really should have been included in the formal Microsoft documentation update process. However, that update was merely documented support for later versions of Visual Studio.
Microsoft published one key mitigation for a Windows network vulnerability:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
It just keeps getting better. The downward trend for Microsoft’s browser reported vulnerability continues to track ever lower with just two (CVE-2022-2294 and CVE-2022-2295) Chromium updates for this July. Both updates only affect Edge (Chromium) and were released last week. Chrome should automatically update, with our initial analysis showing that both updates will have marginal impact on browser compatibility. You can read about this update on the Google Blog, with the technical details found on Git. Add these low-profile, low-risk updates to your standard browser release schedule.
With just four critical updates and 16 rated important this month, Microsoft is really giving IT admins a bit of a break. The four critical Windows update for this release cycle include:
All of these critical updates have been officially confirmed as fixed, with no reports of public exploits on Windows desktop systems. The remaining 14 updates are rated important by Microsoft and affect the following Windows systems and components:
Unfortunately, Windows Server 2012 did not fare so well, with reports of CVE-2022-22047 exploited in the wild. This Windows server vulnerability affects the Client Server Run-Time subsystem (CRSS) which is where all the badly behaving user mode drivers hang out. If you have any Windows Server 2012 under your care, this is a “Patch Now” update. Otherwise, add this very low-profile Windows update to your standard release schedule. And don’t forget, Microsoft has delivered another Windows 11 update video; it’s found here .
Microsoft released only two (CVE-2022-33632 and CVE-2022-33633) updates to Microsoft Office this month. Both updates are rated important by Microsoft, and both require local, authenticated privileges to the target system. Add these updates to your standard Office update schedule.
It’s good that we get a break from Microsoft Exchange Server updates. Rather than simply resting, it may be worth investing in your Exchange security infrastructure. Microsoft has provided some major improvements on Exchange during the past year; here are a few ideas on securing your Exchange Server:
All of these features and offerings are predicated on using at least Office 2019 — another reason Microsoft has strongly recommended everyone move to Exchange Server 2019 at least. The EM Service was last used in March 2021 to deal with several Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858). These were specific attacks on on-premise servers. It’s helpful to know this service is there, but I’m glad it has not been required recently.
As with Microsoft Exchange, Microsoft has not published any “new” security updates to the Microsoft .NET platform or tools this month. However, there was a problem with June’s .NET update, which was addressed this month. This month’s .NET release resolves the issue that some versions of .NET were not addressed by the previous patch — this is just an informational update. If you are using Microsoft Windows update infrastructure, no further action is required.
This is a big update from Adobe, with 15 updates rated as critical and seven rated important, all just for Adobe Reader. The critical updates mainly relate to memory issues and could lead to the exercise of arbitrary code on the unpatched system. You can read more about the Adobe bulletin (APSB22-32) and Adobe security bulletins here. Add this application specific update to your “Patch Now” release.