June’s Patch Tuesday updates, launched on June 14, tackle 55 vulnerabilities in Home windows, SQL Server, Microsoft Workplace, and Visible Studio (although there are oo Microsoft Alternate Server or Adobe updates this month). And a zero-day vulnerability in a key Home windows part, CVE-2022-30190, led to a “Patch Now” advice for Home windows, whereas the .NET, Workplace and SQL Server updates might be included in a normal launch schedule.
You could find extra info on the danger of deploying these Patch Tuesday updates in this infographic.
Key testing situations
Given the massive variety of modifications included on this June patch cycle I’ve damaged out the testing situations for top threat and commonplace threat teams.
These high-risk modifications are prone to embody performance modifications, could deprecate current capabilities, and can possible require new testing plans. Check your signed drivers utilizing bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):
- Run functions which have binaries (.EXE and .DLL) which are signed and unsigned.
- Run drivers which are signed and unsigned. Unsigned drivers mustn’t load. Signed drivers ought to load.
- Use SHA-1 signed versus SHA-2 signed drivers.
Every of those high-risk take a look at cycles should embody a handbook shut-down, reboot, and restart. The next modifications usually are not documented as together with practical modifications, however will nonetheless require at the very least “smoke testing” earlier than basic deployment:
- Check distant Credential Guard situations. (These assessments would require Kerberos authentication, and will solely be used with the RDP protocol.)
- Check your Hyper-V servers and begin/cease/resume your Digital Machines (VM).
- Carry out shadow copy operations utilizing VSS-aware backup functions in a distant VSS deployment over SMB.
- Check deploy pattern functions utilizing AADJ and Intune. Be sure that you deploy and revoke entry as a part of your take a look at cycle.
Along with these commonplace testing tips, we advocate that every one core functions endure a testing regime that features self-repair, uninstall, and replace. That is because of the modifications to Home windows Installer (MSI) this month. Not sufficient IT departments take a look at the replace, restore, and uninstall capabilities of their software portfolio. It is good to problem every software package deal as a part of the High quality Assurance (QA) course of that features the important thing software lifecycle phases of set up, activation, replace, restore, after which uninstall.
Not testing these phases might go away IT programs in an undesirable state — on the very least, it is going to be an unknown state.
Every month, Microsoft features a listing of identified points that relate to the working system and platforms affected this cycle. This month, there are some complicated modifications to think about, together with:
- After putting in this June replace, Home windows units that use sure GPUs may trigger functions to shut unexpectedly or trigger intermittent points. Microsoft has revealed KB articles for Home windows 11 (KB5013943) and Home windows 10, model 21H2, all editions (KB5013942). No resolutions for these reported points but.
- After putting in this month’s replace, some .NET Framework 3.5 apps might need points or fail to open. Microsoft stated you possibly can mitigate this subject by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
As it’s possible you’ll bear in mind, Microsoft revealed an out-of-band update (OOB) final month (on Could 19). This replace affected the next core Home windows Server based mostly networking options:
The safety vulnerabilities addressed by this OOB replace solely impacts servers working as area controllers and software servers that authenticate to area controller servers. Desktop platforms usually are not affected. Resulting from this earlier patch, Microsoft has beneficial that this June’s replace be put in on all intermediate or software servers that cross authentication certificates from authenticated shoppers to the area controller (DC) first. Then set up this replace on all DC position computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key information part of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting solely after the June 14 replace has been put in on all intermediate or software servers and all DCs.
Did you get that? I need to observe with a sure sense of irony, that probably the most detailed, order-specific set of directions that Microsoft has ever revealed (ever), are buried deep, mid-way via a really lengthy technical article. I hope everyone seems to be paying consideration.
Although now we have fewer “new” patches launched this month, there are plenty of up to date and newly launched patches from earlier months, together with:
- CVE-2021-26414: Home windows DCOM Server Safety Characteristic Bypass. After this month’s updates are put in, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers can be enabled by default. Clients who want to take action can nonetheless disable it through the use of the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has revealed KB5004442 to assist with the configuration modifications required.
- CVE-2022-23267: NET and Visible Studio Denial of Service Vulnerability. It is a minor replace to affected functions (now affecting the MAC platform). No additional motion required.
- CVE-2022-24513: Visible Studio Elevation of Privilege Vulnerability. It is a minor replace to the listing of affected functions (now affecting the MAC platform). No additional motion required.
- CVE-2022-24527: Microsoft Endpoint Configuration Supervisor Elevation of Privilege. This main replace to this patch is a little bit of a large number. This patch was mistakenly allotted to the Home windows safety replace group. Microsoft has eliminated this Endpoint supervisor from the Home windows group and has offered the next choices to entry and set up this hot-fix:
- Improve to Configuration Supervisor present department, model 2203 (Construct 5.00.9078), which is on the market as an in-console replace. See Checklist for installing update 2203 for Configuration Manager for extra info.
- Apply the hotfix. Clients working Microsoft Endpoint Configuration Supervisor, variations 1910 via variations 2111 who usually are not capable of set up Configuration Supervisor Replace 2203 (Construct 5.00.9078) can obtain and set up hot-fix KB12819689.
- CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This replace now consists of protection for the next affected platforms: Home windows 10 model 1607, Home windows Server 2016, and Home windows Server 2016 (Server Core set up). No additional motion required.
- CVE-2022-30190: Microsoft Home windows Help Diagnostic Instrument (MSDT) Distant Code Execution Vulnerability. This patch is private — we had been affected by this subject with huge server efficiency spikes. In case you are having issues with MSDT, it’s good to learn the MSRC blog post, which incorporates detailed directions on updates and mitigations. To unravel our points, we needed to disable the MSDT URL protocol, which has its personal issues.
I believe that we are able to safely work via the Visible Studio updates, and the Endpoint Configuration Supervisor modifications will take a while to implement, however each modifications do not need vital testing profiles. DCOM modifications are completely different — they’re powerful to check and customarily require a enterprise proprietor to validate not simply the set up/instantiation of the DCOM objects, however the enterprise logic and the specified outcomes. Guarantee that you’ve a full listing of all functions which have DCOM dependencies and run via a enterprise logic take a look at, or you’ll have some disagreeable surprises — with very difficult-to-debug troubleshooting situations.
Mitigations and workarounds
For this Patch Tuesday, Microsoft revealed one key mitigation for a critical Home windows vulnerability:
- CVE-2022-30136: Home windows Community File System Distant Code Execution Vulnerability. That is the primary time I’ve seen this, however for this mitigation, Microsoft strongly recommends you put in the Could 2022 replace first. As soon as executed, you possibly can cut back your assault floor space by disabling NFSV4.1 with the next PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this modification would require a restart of the goal server.
Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Workplace;
- Microsoft Alternate;
- Microsoft Growth platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, possibly subsequent 12 months).
We’re seeing a welcome pattern of fewer and fewer vital updates to your entire Microsoft browser portfolio. For this cycle, Microsoft has launched five updates to the Chromium model of Edge. They’re all low threat to deploy and resolve the next reported vulnerabilities:
A key issue on this downward pattern of browser associated safety points, is the decline and now retirement of Internet Explorer (IE). IE is formally now not supported as of this July. The future of Microsoft’s browsers is Edge, in keeping with Microsoft. Microsoft has offered us with a video overview of Web Explorer’s retirement. Add these Chromium/Edge browser updates to your commonplace software launch schedule.
With 33 of this month’s 55 Patch Tuesday updates, the Home windows platform is the first focus — particularly given the low-risk, low-profile updates to Microsoft Browsers, Workplace, and growth platforms (.NET). The Home windows updates cowl a broad base of performance, together with: NTFS, Home windows networking, the codecs (media) libraries, and the Hyper-V and docker parts. As talked about earlier, probably the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment method, which is able to work effectively for this month’s updates, primarily because of the variety of core infrastructural modifications that must be picked up in early testing. (Microsoft has revealed one other video concerning the modifications this month to the Home windows 11 platform, found here.)
Microsoft has fastened the widely-exploited Home windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite three vital updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) results in a “Patch Now” advice.
Microsoft launched seven updates to the Microsoft Workplace platform (SharePoint, Excel, and the Workplace Core basis library), all of them rated vital. The SharePoint server updates are comparatively low threat, however would require a server reboot. We had been initially nervous concerning the RCE vulnerability in Excel, however on assessment it seems that the “distant” in Distant Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; provided that it requires consumer interplay and entry to an area goal system, it’s a much-reduced threat. Add these low-profile Workplace updates to your commonplace patch deployment schedule.
Microsoft Alternate Server
We have now a SQL server update this month, however no Microsoft Alternate Server updates for June. That is excellent news.
Microsoft growth platforms
Microsoft has launched a single, comparatively low-risk (CVE-2022-30184) replace to the .NET and Visible Studio platform. In case you are utilizing a Mac (I like the Mac version of Code), Microsoft recommends that you simply replace to Mac Visual Studio 2022 (nonetheless in preview) as quickly as doable. As of July (sure, subsequent month) the Mac model of Visible Studio 2019 will now not be supported. And sure, dropping patch help in the identical month as the following model is launched is tight. Add this single .NET replace to your commonplace growth patch launch schedule.
Adobe (actually, simply Reader)
There aren’t any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a security bulletin for his or her different (non-Acrobat or PDF associated) functions — all of that are rated on the lowest stage 3 by Adobe. There can be loads of work with printers within the coming weeks, so this can be a welcome aid.
Copyright © 2022 IDG Communications, Inc.