Take your time testing these February Patch Tuesday updates

Credit to Author: Greg Lambert| Date: Fri, 11 Feb 2022 12:21:00 -0800

There are (as of now) 51 patches to the Windows ecosystem for February, but no critical updates and no “Patch Now” recommendations from the Readiness team. I’m hoping that with this month’s list of Patch Tuesday updates, we can enjoy the quiet after the storm. January was tough for a lot of folks. And, with this month’s very light release from Microsoft, corporate security and systems administrators can take the time needed to test their applications and desktop/server builds. It’s also important to invest in their testing methodologies, release practices, and how their applications may be affected by OS-level updates and patches.

You can find more information on the risk of deploying these Patch Tuesday updates using our detailed infographic.

There are no reported high-risk changes to Windows this month. However, there is one reported functional change, and an additional feature added:

When testing your printing services, ensure that you are validating your spooler and SHD (shadow files). Testing these service artifacts is especially important if you employ symbolic or hard links to access these jobs.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. There is more than usual, so I have referenced a few key issues that relate to the latest builds from Microsoft including:

After installing updates released Jan. 11 or later, applications that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might have issues. The apps might fail or close, or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error. To resolve this issue manually, apply the out-of-band updates for the version of the .NET Framework used by the app. We recommend that you scan your internal line of business applications for any dependencies on System.DirectoryServices API.

Though there is a much smaller list of patches this month, Microsoft released several revisions to previous patches, including:

This month Microsoft has published two mitigating factors, including:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

There are a total of 22 (+1) updates to the Microsoft Edge (Chromium) browser this month. None are critical, with one patch rated moderate and the remaining rated important. Unusually, there was an additional update for Microsoft Edge posted yesterday (CVE-2022-23246) that was included as part of an updated release note for Microsoft Edge security update found here. Add these Chrome (Edge and Chromium) updates to your regular update release schedule.

We were hoping for a quieter update this month and Microsoft really delivered — with no critical updates for Windows or Microsoft Office. Given that January’s release was large and complex, several problems were encountered, including:

To remedy these and other reported (minor) issues, a rare Out-of-Band (OOB) update was released on Jan 17. Microsoft has posted 26 patches this month, covering Hyper-V, printing, error/logging sub-systems, networking, and video codecs. Given the testing requirements for these types of changes to the core operating system, we suggest a staged approach and adding these Windows updates to your standard update release schedule.

This month’s patches for Microsoft Office will install on the following baselines:

Though Microsoft has published 11 updates (all rated important) for this release, only eight apply to Windows systems. Microsoft has shared some basic testing guidelines for the updates, including:

Microsoft also published a major known issue with this month’s Office update, saying: “The Machine Translation service fails if the content contains certain HTML tags.” To work around this issue, see Publishing pages cannot be translated in SharePoint Server 2019 (KB5011291). All the local office installations (excluding click-to-run virtualized instances) require user interactions and do not significantly degrade the system if affected. These patches represent a low risk and have been documented to affect core functionality (potentially affecting dependent line-of-business applications). Add these updates to your standard Office update schedule.

Following the trend of a very light patch cycle, Microsoft has not released any updates for the Exchange Server platform. 

Things are definitely light on the ground this month, but we do have a few very minor updates for Microsoft development tools, including two patches to Visual Studio (CVE-2022-21986 and CVE-2022-21991) Both of these minor updates are rated important by Microsoft and should be (almost casually) added to your standard development patch schedule.

Adobe released several security updates this month, but luckily nothing for Adobe Reader. You can find Adobe’s February release notes here; it relates to Adobe Premier, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Let’s see what Adobe has in store for us in March.

http://www.computerworld.com/category/security/index.rss