Zero-day flaws mean it's time to patch Exchange and Windows

This month’s Patch Tuesday update from Microsoft deals with 84 flaws and a zero-day affecting Microsoft Exchange that at the moment remains unresolved. The Windows updates focus on Microsoft security and networking components with a difficult-to-test update to COM and OLE db. And Microsoft browsers get 18 updates—nothing critical or urgent.

That leaves the focus this month on Microsoft Exchange and deploying mitigation efforts, rather than server updates, for the next week. More information about the risks of deploying these Patch Tuesday updates are available in this infographic.

Microsoft continues to improve both its vulnerability reporting and notifications with a new RSS feed, and Adobe has followed suit with improved reporting and release documentation. As a gentle reminder, support for Windows 10 21H1 ends in December.

Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups:

High Risk: For October, Microsoft has not recorded any high-risk functionality changes. This means it has not made major changes to core APIs or to the functionality to any of the core components or applications included in the Windows desktop and server ecosystems.

More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:

In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios:

Unless otherwise specified, we should now assume each Patch Tuesday update will require testing core printing functions, including:

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.

One reported issue with the latest Microsoft Servicing Stack Update (SSU) KB5018410 is that Group Policy preferences may fail. Microsoft is working on a solution; in the meantime, the company posted the following mitigations:

So far, Microsoft has not published any major revisions to its security advisories. 

There are two mitigations and four work-arounds for this October Patch Tuesday, including:

Microsoft has also noted that for the following reported network vulnerabilities, those systems are not affected if IPv6 is disabled and can be mitigated with the following PowerShell command: “Get-Service Ikeext:”

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Microsoft released 18 updates to Edge (Chromium). Only CVE-2022-41035 specifically applies to the browser, while the rest are Chromium related. You can find this month’s release note here. These are low profile, non-critical patches to Microsoft’s latest browser; they can be added to your standard release schedule.

Microsoft delivers patches for 10 critical and 57 important vulnerabilities that cover the following feature groups in the Windows platform:

One COM+ object-related vulnerability (CVE-2022-41033) has been reported as exploited in the wild. This makes things tough for patch and update deployment teams. Testing COM objects is generally difficult due to the business logic required and contained within the application. Also, determining which applications depend on this feature is not straightforward. This is especially the case for in-house developed or line-of-business applications due to business criticality. We recommend assessing, isolating, and testing core business apps that have COM and OLE dB dependencies before a general deployment of the October update. Add this Windows update to your “Patch Now” schedule.

On the lighter side of things, Microsoft has released another Windows 11 update video.

This month we get two critical updates (CVE-2022-41038 and CVE-2022-38048) and four updates rated as important to the Microsoft Office platform. Unless you are managing multiple SharePoint servers, this is a relatively low-profile update, with no Preview Pane-based attack vectors and no reports of exploits in the wild. If you or your team experienced issues with Microsoft Outlook crashing (sorry, “closing”) last month, Microsoft has offers the following advice:

Given these changes and low-profile updates, we suggest that you add these Office patches to your standard release schedule.

We should have started with the Microsoft Exchange updates this month. The critical remote-pcode execution vulnerabilities (CVE-2022-41082 and CVE-2022-41040) in Exchange have been reported as exploited in the wild and have not been resolved with this security update. There are patches available, and they are official from Microsoft. However, these two updates to Microsoft Exchange Server do not fully fix the vulnerabilities.

The Microsoft Exchange Team blog makes this point explicitly in the middle of a release note:

“The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.”

Microsoft has published mitigation advice for these serious Exchange security issues, covering:

We recommend implementing both the URL and PowerShell mitigations for all your Exchange servers. Watch this space, as we will see an update from Microsoft in the upcoming week. 

Microsoft development platforms

Microsoft has released four updates (all rated important) for Visual Studio and .NET. Though all four vulnerabilities (CVE-2022-41032, CVE-2022-41032, CVE-2022-41034 and CVE-2022-41083) have standard entries in the Microsoft Security Update Guide (MSUG), the Visual Studio team has also published these 17.3 Release notes. (And, just like Windows 11, we even get a video.) All four of these updates are low-risk, low-profile updates to the development platform. Add these to your standard developer release schedule.

Adobe Reader has been updated (APSB22-46) to resolve six memory related vulnerabilities. With this release, Adobe has also updated release documentation to include Known Issues and planned Release Notes. These notes cover both Windows and MacOS and both versions of Reader (DC and Continuous). All six reported vulnerabilities have the lowest Adobe rating, 3, which Adobe helpfully offers the following patch advice for: “Adobe recommends administrators install the update at their discretion.”

We agree — add these Adobe Reader updates to your standard patch deployment schedule.

http://www.computerworld.com/category/security/index.rss