April’s Patch Tuesday: a lot of large, diverse and urgent updates

This week’s Patch Tuesday release was huge, diverse, risky, and urgent, with late update arrivals for Microsoft browsers (CVE-2022-1364) and two zero-day vulnerabilities affecting Windows (CVE-2022-26809 and CVE-2022-24500). Fortunately, Microsoft has not released any patches for Microsoft Exchange, but this month we do have to deal with more Adobe (PDF) printing related vulnerabilities and associated testing efforts. We have added the Windows and Adobe updates to our “Patch Now” schedule, and will be watching closely to see what happens with any further Microsoft Office updates. 

As a reminder, Windows 10 1909/20H2 (Home and Pro) will reach their end of servicing dates on May 10. And if you are looking for an easy way to update your server-based .NET components, Microsoft now has .NET auto-update updates for servers. You can find more information on the risk of deploying these Patch Tuesday updates in this useful infographic.

Key testing scenarios

Given what we know so far, there are three reported high-risk changes included in this month’s patch release, including:

• Printer update(s) to the SPOOL component, which may affect page printing from browsers and graphically dense images.
• A network update to named pipes that may cause issues with Microsoft’s remote desktop services.

More generally, given the large number and diverse nature of the changes for this month’s cycle, we recommend testing the following areas:

• Test your DNS Zone and Server Scope operations if used on your local servers (DNS Manager);
• Test printing PDFs from your browsers (both desktop and server);
• Test your FAX (Castelle anyone?) and telephone (telephony) based applications;
• And install, repair, and uninstall your core application packages (this probably should be automated, with a baseline data for detailed analysis).

Microsoft has updated a number of APIs, including key file and kernel components (FindNextFile, FindFirstStream and FindNextStream). Given the ubiquity of these common API calls, we suggest creating a server stress test that employs very heavy local file loads and pay particular attention to the Windows Installer update that requires both install and uninstall testing. Validating application uninstallation routines has fallen out of vogue lately due to improvements with application deployment, but the following should be kept in mind when applications are removed from a system:

• Does the application uninstall? (Files, registry, shortcuts, services, and environment settings);
• Does the uninstall process remove components from applications or shared resources?
• Are any key resources (system drivers) removed, and do other applications have shared dependencies?

I have found that keeping application uninstallation Installer logs and comparing (hopefully the same) information across updates is probably the only accurate method — “eyeballing” a cleaned system is not sufficient. And finally, given the changes to the kernel in this update, test (smoke test) your legacy applications. Microsoft has now included deployment and reboot requirements in a single page.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle. There are more than usual this month, so I have referenced a few key issues that relate to the latest builds from Microsoft, including:

• After installing the Windows updates released Jan. 11, 2022 or later on an affected version of Windows, recovery discs (CD or DVD) created using the Backup and Restore (Windows 7) app in the Control Panel might be unable to start.
• After installing this Windows update, connecting to devices in an untrusted domain using Remote Desktop might fail to authenticate when using smart card authentication. You might receive the prompt, “Your credentials did not work. The credentials that were used to connect to [device name] did not work. Please enter new credentials,” and “The login attempt failed” in red. This issue is resolved using Known Issue Rollback (KIR) using group policy installation files: Windows Server 2022, Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1, and Windows 10, version 21H2. 
• After installing updates released Jan. 11, 2022 or later, apps that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might have issues. To resolve this issue manually, apply these Microsoft .NET out-of-band updates.
• Some organizations have reported Bluetooth pairing and connectivity issues. If you are using Windows 10 21H2 or later, Microsoft is aware of the situation and is working on a resolution.
• The Microsoft Exchange Service fails after installing the March 2022 security update. For more information please refer to:
• KB5012698 – Microsoft Exchange Server 2019 and 2016 (March 8, 2022)
• KB5010324 – Microsoft Exchange Server 2013 (March 8, 2022)

For more information about known issues, please visit the Windows Health Release site.

Major revisions

This month, we see two major revisions to updates that have been previously released:

• CVE-2022-8927: Brotli Library Buffer Overflow Vulnerability: This patch, released last month, was raised as a concern on how Internet Explorer would handle changes to compressed files such as CSS and custom scripts. This latest update merely expands the number of products affected, and now includes Visual Studio 2022. No other changes have been made, and therefore no further action is required.
• CVE-2021-43877 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability: This is another “affected product” update that also includes coverage for Visual Studio 2022. No further action is required.

Mitigations and workarounds

This is a large update for a Patch Tuesday, so we have seen a larger-than-expected number of documented mitigations for Microsoft products and components, including:

• CVE-2022-26919: Windows LDAP Remote Code Execution Vulnerability — Microsoft has offered the following mitigation: “For this vulnerability to be exploitable, an administrator must increase the default MaxReceiveBuffer LDAP setting.”
• CVE-2022-26815: Windows DNS Server Remote Code Execution Vulnerability. This issue is only applicable when dynamic DNS updates are enabled.

And for the following reported vulnerabilities, Microsoft recommends “blocking port 445 at the perimeter firewall.”

• CVE-2022-26809: Remote Procedure Call Runtime Remote Code Execution Vulnerability.
• CVE-2022-26830: DiskUsage.exe Remote Code Execution Vulnerability
• CVE-2022-24541: Windows Server Service Remote Code Execution Vulnerability
• CVE-2022-24534: Win32 Stream Enumeration Remote Code Execution Vulnerability

You can read more here about securing these vulnerabilities and your SMB networks. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office
• Microsoft Exchange
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (retired???, maybe next year)

Browsers

There were no critical updates to any of Microsoft’s browsers. There were 17 updates to the Chromium project’s Edge browser, which, given how they were implemented, should have marginal to no effect on enterprise deployments. All these updates were released last week as part of the Chromium update cycle. However, it looks like we will see another set of critical/emergency Chrome updates with reports of CVE-2022-1364 exploited in the wild. This will be the third set of emergency updates this year.

If your IT team is seeing large numbers of unexpected browser crashes, you may be vulnerable to this very serious type confusion issue in the V8 JavaScript engine. Microsoft has not released any updates this month for its other browsers. So, now is a good time to ensure your emergency change management practices are in place to support large, very rapid changes to key desktop components (such as browser updates).

Windows

This Patch Tuesday delivered a large number of updates to the Windows platform. With over 117 reported fixes (now 119) covering key components of both desktop and server platforms including:

• Hyper-V
• Windows Networking (SMB).
• Windows Installer.
• Windows Common Log (again).
• Remote Desktop (again, and again).
• Windows Printing (oh no, not again).

With all of these varied patches, this update carries a diverse testing profile and, unfortunately with the recent reports of CVE-2022-26809 and CVE-2022-24500 exploited in the wild, a sense of urgency. In addition to these two worm-able, zero-day exploits, Microsoft has recommended immediate mitigations (blocking network ports) against five reported vulnerabilities. We have also been advised that for most large organizations, testing Windows installer (install, repair and uninstall) is recommended for core applications, further increasing some of the technical effort required before general deployment of these patches. And, yes, printing is going to be an issue. We suggest a focus on printing large PDF files over remote (VPN) connections as a good start to your testing regime.

Add this large Windows update to your “Patch Now” release schedule. 

Microsoft Office

Though Microsoft has released five updates for the Office platform (all rated as important), this is really a “let’s update Excel release” with CVE-2022-24473 and CVE-2022-26901 addressing potential arbitrary code execution (ACE) issues. These are two serious security issues that when paired with an elevation-of-privilege vulnerability leads to a “click-to-own” scenario. We fully expect that this vulnerability will be reported as exploited in the wild in the next few days. Add these Microsoft Office updates to your standard patch release schedule.

Microsoft Exchange Server

Fortunately for us, Microsoft has not released any update for Exchange Server this month. That said, the return of Adobe PDF issues should keep us busy.

Microsoft development platforms

For this cycle, Microsoft released six updates (all rated as important) to its development platform affecting Visual Studio, GitHub, and the .NET Framework. Both the Visual Studio (CVE-2022-24513 and CVE-2022-26921) and the GitHub (CVE-2022-24765, CVE-2022-24767) vulnerabilities are application-specific and should be deployed as application-specific updates. However, the .NET patch (CVE-2022-26832) affects all currently supported .NET versions and will likely be bundled with the latest Microsoft .NET quality updates (read more about these updates here). We recommend deploying the .NET April 22 quality updates with this month’s patches to reduce your testing time and deployment effort.

Adobe (really just Reader)

Well, well, well…, what do we have here? Adobe Reader is back this month with PDF printing causing more headaches for Windows users. For this month, Adobe has released APSB22-16, which addresses over 62 critical vulnerabilities in how both Adobe Reader and Acrobat handle memory issues (see Use after Free) when generating PDF files. Almost all of these reported security issues could lead to remote code execution on the target system. Additionally, these PDF related issues are linked to several Windows (both desktop and server) printing issues addressed this month by Microsoft.

Add this update to your “Patch Now” release schedule.