Legacy apps are in danger with the September Patch Tuesday replace



This week’s Patch Tuesday was an uncommon replace from Microsoft and we now have added Home windows, the Microsoft improvement platform, and Adobe Reader to our “Patch Now” schedule. These updates are pushed by the zero-day patch (CVE-2021-40444) to the core Microsoft browser library MSHTML. Along with resulting in important distant code execution worries, this replace can also result in sudden behaviours in legacy functions that depend upon or embrace this browser part. Be sure you assess your portfolio for key apps which have these dependencies and carry out a full performance take a look at earlier than deployment. (We have now recognized some key mitigation methods for dealing with ActiveX controls and for shielding your system throughout your testing and deployment phases.)You can too discover extra details about the dangers of deploying these Patch Tuesday patchesin this infographic.Key testing scenariosThere are not any reported high-risk modifications to the Home windows platform this month. Nevertheless, there’s one reported purposeful change and an extra function:
As at all times, verify that printing performs as anticipated with each bodily and digital printers. Confirm there are not any points with printer drivers and examine for printer driver software program nonetheless utilizing 32-bit code for utility administration. 
Confirm Occasion Tracing for Home windows is working as anticipated; logs are displaying up in Occasion Viewer.
Affirm that connections leveraging Distant Desktop Gateway and Digital Personal Networks (VPNs) work as anticipated.
Take a look at SCCRUN objects like Scripting.FileSystemObject, textStream, Scripting.Dictionary. See this Microsoft doc and Dictionary object | Microsoft Docs for extra info.
Affirm that customers with permissions can entry recordsdata on SMB shares. Confirm that accessing recordsdata utilizing the Create / Copy / Delete / Learn / Write / Rename / Shut features as anticipated.
Testing your legacy apps and printing shall be a key activity when managing this September’s replace (and for the foreseeable future). In search of printer driver software program nonetheless utilizing 32-bit code for app administration is essential to keep away from “thunking.” This space of concern pertains to how reminiscence is dealt with between 32-bit and 64-bit functions. If you’re on the lookout for a state of affairs the place every little thing breaks, at unpredictable instances, and impacts core techniques, attempt discovering an growing older printer driver with previous printer administration software program. Really, it is extra seemingly the outcomes will discover you. Although we regularly concentrate on printing and legacy apps, distant working has seen an enormous enhance through the pandemic. We provide the next VPN-specific testing suggestions this month:
Confirm that Home windows Updates reliably set up over VPN and non-VPN connections and that the updates set up efficiently.
Test that your anti-virus works as anticipated over your VPN connection.
Guarantee the flexibility to accumulate a DHCP deal with and community connectivity over wired and wi-fi community connections with and with out 802.1x.
Identified issuesEach month, Microsoft features a checklist of recognized points that relate to the working system and platforms within the newest replace cycle. I’ve referenced a couple of key points that relate to the most recent builds from Microsoft, together with:
This month, all Home windows 10 updates embrace a repair that addresses a problem that causes PowerShell to create an infinite variety of baby directories. This difficulty happens once you use the PowerShell Transfer-Merchandise command to maneuver a listing to one in every of its youngsters. Because of this, the quantity fills up and the system stops responding.
Main revisionsAt the time of writing (for the July replace cycle), there have been 4 main updates to beforehand launched updates:
CVE-2021-1678: Home windows Print Spooler Spoofing Vulnerability.
CVE-2021-36958: Home windows Print Spooler Distant Code Execution Vulnerability.
CVE-2021-40444: Microsoft MSHTML Distant Code Execution Vulnerability.
Mitigations and workaroundsThis month, Microsoft printed a work-around for the MSHTML replace. The corporate (not for the primary time) recommends disabling Lively X. We suggest disabling ActiveX as a common rule and utilizing Group Coverage in your managed platforms. Listed below are some easy steps to make sure that ActiveX is disabled:
Choose the Zone (Web Zone, Intranet Zone, Native Machine Zone, or Trusted Websites Zone).
Double-click Obtain signed ActiveX controls and Allow the coverage. Then set the choice within the coverage to Disable.
Double-click Obtain unsigned ActiveX controls and Allow the coverage. Then set the choice within the coverage to Disable.
You can too specify particular registry keys and part IDs for particular person apps (e.g. Microsoft Phrase) —discover out extra right here. Microsoft additionally recommends that you simply place paperwork opened in “Protected View” and use the Workplace model of Software Guard. And when you have gone for a full Microsoft stack and have deployed Defender, you need to use assault floor discount guidelines to scale back the specter of publicity to this critical safety difficulty.Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Home windows (each desktop and server);
Microsoft Workplace;
Microsoft Change;
Microsoft Improvement platforms ( ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired? Not but).
BrowsersMicrosoft launched 26 updates for the Chromium-based Edge browser this month. Along with these patches, the Chromium undertaking additionally launched 11 safety associated updates this September (Chrome Launch Notes). Although the browser wars have ended, and now Microsoft is utilizing Open Supply, the one fixed sort of safety difficulty is the “Use After Free” reminiscence (aka Dangling Pointer) allocation errors. These reminiscence allocation lessons of errors are nonetheless the commonest and this month’s replace (have a learn of CVE-2021-30610) is an effective instance of the continuing battle to remain forward of the dangerous guys. The proposed modifications to Edge can have minimal or no affect on enterprise techniques this month. Add these updates to your normal desktop replace schedule.WindowsMicrosoft has launched 35 updates to the Home windows platform with two rated as vital (CVE-2021-36965 and CVE-2021-26435) for this cycle. Although this isn’t the biggest replace we have seen for some time, this launch impacts quite a lot of key platform areas: networking, kernel drivers, Home windows Installer, key graphic elements (GDI), and a few key diagnostic instruments (Home windows Error Reporting). Nevertheless, the actual concern this month for testing and deployment groups is what’s been re-released: CVE-2021-40444. It was launched earlier this month and has seen two updates since its preliminary publishing. The MSHTML difficulty is an actual concern because it pertains to a core browser part generally utilized in quite a lot of functions. It is like having Web Explorer embedded in your core line of enterprise utility (yeah, I do know). You actually are not looking for this part in your improvement portfolio and you’ll need to seek out out which functions depend upon it rapidly. We ran a fast scan of our widespread functions that make use of the MSHTML library and located that between 5-10% of “legacy functions” (functions older than 5 years) had a direct dependency on MSHTML. These functions would require in-depth testing and are seemingly areas of concern for any enterprise. Sadly, we now have so as to add these Home windows updates to our “Patch Now” schedule for this month. Microsoft OfficeMicrosoft has launched 12 updates to its Workplace platform this month, all of them rated essential. (Right,  no vital updates for Workplace, Change or SharePoint this patch cycle.) Phrase, Excel, Visio, and the shared Microsoft Workplace libraries (e.g. MSO and shared code widespread to all Microsoft Workplace elements) are affected this month. Not one of the reported safety points embrace “preview pane” or different extremely weak assault vectors. Add these September Microsoft updates to your normal launch schedule.Microsoft Change ServerWe are within the lucky place this September of not having to deploy pressing updates to Microsoft Change Server. That stated, there are two updates to SharePoint Server (CVE-2021-38651, CVE-2021-38652) that can require consideration. Each require a reboot to the server. So even with a diminished stage of urgency, we’re all nonetheless rebooting our Workplace servers this month. No additional motion required for Change Server associated updates.Microsoft improvement platformsMicrosoft has launched three updates to the Visible Studio platform (CVE-2021-36952, CVE-2021-26437, CVE-2021-26434) all rated as essential. Often, we have a look at these updates and advise including them to a regular launch schedule. However we expect CVE-2021-36952 and CVE-2021-26434 require a fast response on account of their potential distant code execution (RCE) and elevation-of-privilege eventualities. I wish to say that RCE points are right this moment’s points. Elevations of privilege (EOP) issues are this afternoon’s issues. Add this Microsoft developer replace to your “Patch Now” schedule. And, sure we now have not made this advice for at the very least two years.Adobe (actually simply Reader)This part was beforehand set as much as deal with the quite a few (and generally painful) updates to Adobe Flash over time. With the current (and hopefully remaining) replace that features the kill-bits for Flash and Shockwave, our pondering is that we must always retire this part. Nevertheless, Adobe Reader is a core part of most enterprise desktops and is prone to proceed because the default PDF reader for a couple of extra years. So reasonably than concentrate on all Adobe merchandise we’ll cope with safety associated points with PDFs (particularly printing) and Adobe Reader. And as luck would have it, we now have an abundance of Adobe updates for September (I’m saving “cornucopia” for October), with a specific concentrate on Acrobat. Adobe has launched 26 updates with seven rated vital as they relate to reminiscence points that might result in distant code execution (RCE) eventualities. There are some critical points with these reported vulnerabilities, although all require person interplay and no reviews of public disclosure or exploitation. Add these Adobe Reader updates to your “Patch Now” replace launch cycle. And, sure that is the primary time that we now have made this advice.

Copyright © 2021 IDG Communications, Inc.