Zero-day flaws mean it’s time to patch Exchange and Windows

This month’s Patch Tuesday update from Microsoft deals with 84 flaws and a zero-day affecting Microsoft Exchange that at the moment remains unresolved. The Windows updates focus on Microsoft security and networking components with a difficult-to-test update to COM and OLE db. And Microsoft browsers get 18 updates—nothing critical or urgent.

That leaves the focus this month on Microsoft Exchange and deploying mitigation efforts, rather than server updates, for the next week. More information about the risks of deploying these Patch Tuesday updates are available in this infographic.

Microsoft continues to improve both its vulnerability reporting and notifications with a new RSS feed, and Adobe has followed suit with improved reporting and release documentation. As a gentle reminder, support for Windows 10 21H1 ends in December.

Key testing scenarios

Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups:

High Risk: For October, Microsoft has not recorded any high-risk functionality changes. This means it has not made major changes to core APIs or to the functionality to any of the core components or applications included in the Windows desktop and server ecosystems.

More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:

• A GDI update (GDIPLUS.DLL) requires testing of EMF, both 16- and 32-bit palette files (opening, printing, and creating).
• Microsoft’s Desktop Application Manager has been updated and will require both provisioning and un-provisioning applications (both install and uninstall testing is required).
• The Windows CLFS system has been updated to require a short test of creating, reading, updating, and deleting log files.

In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios:

• OLE DB: The venerable Microsoft OLE DB has been updated and requires all applications with a dependency on SQL Server 2012 or ADO.NET need to be fully tested before deployment. This Microsoft COM component (OLE DB) separates data from application logic through a set of connections that access data source, session(s), SQL commands, and row-set data.
• Roaming credentials, cryptography keys, and certificates: To find out more about Credential Roaming, check out Microsoft’s Jim Tierney’s posting and this great introduction to Credential Roaming.
• Encrypted VPN Connections: Microsoft updated the IKEv2 and L2TP/IPsec components this month. Testing with remote connections should last longer than eight hours. If you are having trouble with this update, Microsoft has published a L2TP/IPSec VPN Troubleshooting guide.

Unless otherwise specified, we should now assume each Patch Tuesday update will require testing core printing functions, including:

• printing from directly connected printers;
• large print jobs from servers (especially if they are also domain controllers);
• remote printing (using RDP and VPN).

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.

• Devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. Resolving this issue will require a full/new installation of Microsoft Edge.
• Microsoft SharePoint: This update might affect some SharePoint 2010 workflow scenarios. It also generates “6ksbk” event tags in SharePoint Unified Logging System (ULS) logs.

One reported issue with the latest Microsoft Servicing Stack Update (SSU) KB5018410 is that Group Policy preferences may fail. Microsoft is working on a solution; in the meantime, the company posted the following mitigations:

1. Uncheck the “Run in logged-on user’s security context (user policy option).” Note: this might not mitigate the issue for items using a wildcard (*).
2. Within the affected Group Policy, change “Action” from “Replace” to “Update.”
3. If a wildcard (*) is used in the location or destination, deleting the trailing “” (backslash, without quotes) from the destination might allow the copy to be successful.

Major revisions

So far, Microsoft has not published any major revisions to its security advisories. 

Mitigations and workarounds

There are two mitigations and four work-arounds for this October Patch Tuesday, including:

• CVE-2022-41803: Visual Studio Code Elevation. Microsoft published a quick work-around for this security vulnerability that says: “Create a folder C:ProgramDatajupyterkernels and configure it to be writable only by the current user.”
• CVE-2022-22041: Windows Print Spooler Elevation. Microsoft’s published work-around advice for managing this vulnerability is to stop the printer spooler service on the target machine using the following PowerShell commands, “Stop-Service -Name Spooler -Force, and Set-Service -Name Spooler -StartupType Disabled.” This will stop the local print spooler on the machine and any printing services used by that system.

Microsoft has also noted that for the following reported network vulnerabilities, those systems are not affected if IPv6 is disabled and can be mitigated with the following PowerShell command: “Get-Service Ikeext:”

• CVE-2022-37976: Windows TCP/IP Driver Denial of Service Vulnerability;
• CVE-2022-34721: Windows Internet Key Exchange (IKE) Protocol Extensions;
• CVE-2022-3471, CVE-2022-33645 and CVE-2022-34718: Windows TCP/IP Remote Code Execution Vulnerability.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

Microsoft released 18 updates to Edge (Chromium). Only CVE-2022-41035 specifically applies to the browser, while the rest are Chromium related. You can find this month’s release note here. These are low profile, non-critical patches to Microsoft’s latest browser; they can be added to your standard release schedule.

Windows

Microsoft delivers patches for 10 critical and 57 important vulnerabilities that cover the following feature groups in the Windows platform:

• Windows Networking (DNS, TLS, remote access and the TCP/IP stack);
• Cryptography (IKE extensions and Kerberos);
• Printing (again);
• Microsoft COM and OLE DB;
• Remote Desktop (Connection Manager and APIs).

One COM+ object-related vulnerability (CVE-2022-41033) has been reported as exploited in the wild. This makes things tough for patch and update deployment teams. Testing COM objects is generally difficult due to the business logic required and contained within the application. Also, determining which applications depend on this feature is not straightforward. This is especially the case for in-house developed or line-of-business applications due to business criticality. We recommend assessing, isolating, and testing core business apps that have COM and OLE dB dependencies before a general deployment of the October update. Add this Windows update to your “Patch Now” schedule.

On the lighter side of things, Microsoft has released another Windows 11 update video.

Microsoft Office

This month we get two critical updates (CVE-2022-41038 and CVE-2022-38048) and four updates rated as important to the Microsoft Office platform. Unless you are managing multiple SharePoint servers, this is a relatively low-profile update, with no Preview Pane-based attack vectors and no reports of exploits in the wild. If you or your team experienced issues with Microsoft Outlook crashing (sorry, “closing”) last month, Microsoft has offers the following advice:

1. Sign out of Office;
2. Turn off Support Diagnostics;
3. Set the following registry key: [HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookOptionsGeneral] “DisableSupportDiagnostics”=dword:00000001;
4. Restart your system.

Given these changes and low-profile updates, we suggest that you add these Office patches to your standard release schedule.

Microsoft Exchange Server

We should have started with the Microsoft Exchange updates this month. The critical remote-pcode execution vulnerabilities (CVE-2022-41082 and CVE-2022-41040) in Exchange have been reported as exploited in the wild and have not been resolved with this security update. There are patches available, and they are official from Microsoft. However, these two updates to Microsoft Exchange Server do not fully fix the vulnerabilities.

The Microsoft Exchange Team blog makes this point explicitly in the middle of a release note:

“The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.”

Microsoft has published mitigation advice for these serious Exchange security issues, covering:

• CVE-2022-41040: Exchange Emergency Mitigation Service
• CVE-2022-41082: Disable Remote PowerShell for Exchange

We recommend implementing both the URL and PowerShell mitigations for all your Exchange servers. Watch this space, as we will see an update from Microsoft in the upcoming week. 

Microsoft development platforms

Microsoft has released four updates (all rated important) for Visual Studio and .NET. Though all four vulnerabilities (CVE-2022-41032, CVE-2022-41032, CVE-2022-41034 and CVE-2022-41083) have standard entries in the Microsoft Security Update Guide (MSUG), the Visual Studio team has also published these 17.3 Release notes. (And, just like Windows 11, we even get a video.) All four of these updates are low-risk, low-profile updates to the development platform. Add these to your standard developer release schedule.

Adobe (really just Reader)

Adobe Reader has been updated (APSB22-46) to resolve six memory related vulnerabilities. With this release, Adobe has also updated release documentation to include Known Issues and planned Release Notes. These notes cover both Windows and MacOS and both versions of Reader (DC and Continuous). All six reported vulnerabilities have the lowest Adobe rating, 3, which Adobe helpfully offers the following patch advice for: “Adobe recommends administrators install the update at their discretion.”

We agree — add these Adobe Reader updates to your standard patch deployment schedule.