June’s Patch Tuesday updates, launched on June 14, handle 55 vulnerabilities in Home windows, SQL Server, Microsoft Workplace, and Visible Studio (although there are oo Microsoft Trade Server or Adobe updates this month). And a zero-day vulnerability in a key Home windows part, CVE-2022-30190, led to a “Patch Now” suggestion for Home windows, whereas the .NET, Workplace and SQL Server updates might be included in a normal launch schedule. You will discover extra data on the danger of deploying these Patch Tuesday updates on this infographic.Key testing scenariosGiven the massive variety of adjustments included on this June patch cycle I’ve damaged out the testing situations for top threat and normal threat teams.These high-risk adjustments are more likely to embody performance adjustments, could deprecate current features, and can doubtless require new testing plans. Take a look at your signed drivers utilizing bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):
Run functions which have binaries (.EXE and .DLL) which can be signed and unsigned.
Run drivers which can be signed and unsigned. Unsigned drivers mustn’t load. Signed drivers ought to load.
Use SHA-1 signed versus SHA-2 signed drivers.
Every of those high-risk check cycles should embody a handbook shut-down, reboot, and restart. The next adjustments aren’t documented as together with purposeful adjustments, however will nonetheless require no less than “smoke testing” earlier than common deployment:
Take a look at distant Credential Guard situations. (These exams would require Kerberos authentication, and will solely be used with the RDP protocol.)
Take a look at your Hyper-V servers and begin/cease/resume your Digital Machines (VM).
Carry out shadow copy operations utilizing VSS-aware backup functions in a distant VSS deployment over SMB.
Take a look at deploy pattern functions utilizing AADJ and Intune. Be sure that you deploy and revoke entry as a part of your check cycle.
Along with these normal testing tips, we advocate that every one core functions bear a testing regime that features self-repair, uninstall, and replace. That is as a result of adjustments to Home windows Installer (MSI) this month. Not sufficient IT departments check the replace, restore, and uninstall features of their software portfolio. It is good to problem every software package deal as a part of the High quality Assurance (QA) course of that features the important thing software lifecycle phases of set up, activation, replace, restore, after which uninstall. Not testing these phases may depart IT techniques in an undesirable state — on the very least, it will likely be an unknown state.Recognized issuesEach month, Microsoft features a record of recognized points that relate to the working system and platforms affected this cycle. This month, there are some advanced adjustments to think about, together with:
After putting in this June replace, Home windows gadgets that use sure GPUs may trigger functions to shut unexpectedly or trigger intermittent points. Microsoft has revealed KB articles for Home windows 11 (KB5013943) and Home windows 10, model 21H2, all editions (KB5013942). No resolutions for these reported points but.
After putting in this month’s replace, some .NET Framework 3.5 apps might need points or fail to open. Microsoft stated you may mitigate this subject by re-enabling .NET Framework 3.5 and the Home windows Communication Basis in Home windows Options.
As you could bear in mind, Microsoft revealed an out-of-band replace (OOB) final month (on Could 19). This replace affected the next core Home windows Server primarily based networking options:The safety vulnerabilities addressed by this OOB replace solely impacts servers working as area controllers and software servers that authenticate to area controller servers. Desktop platforms aren’t affected. Attributable to this earlier patch, Microsoft has advisable that this June’s replace be put in on all intermediate or software servers that move authentication certificates from authenticated shoppers to the area controller (DC) first. Then set up this replace on all DC position computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key data part of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting solely after the June 14 replace has been put in on all intermediate or software servers and all DCs. Did you get that? I need to observe with a sure sense of irony, that essentially the most detailed, order-specific set of directions that Microsoft has ever revealed (ever), are buried deep, mid-way by a really lengthy technical article. I hope everyone seems to be paying consideration.Main revisionsThough we’ve fewer “new” patches launched this month, there are a variety of up to date and newly launched patches from earlier months, together with:
CVE-2021-26414: Home windows DCOM Server Safety Characteristic Bypass. After this month’s updates are put in, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers will probably be enabled by default. Prospects who want to take action can nonetheless disable it by utilizing the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has revealed KB5004442 to assist with the configuration adjustments required.
CVE-2022-23267: NET and Visible Studio Denial of Service Vulnerability. It is a minor replace to affected functions (now affecting the MAC platform). No additional motion required.
CVE-2022-24513: Visible Studio Elevation of Privilege Vulnerability. It is a minor replace to the record of affected functions (now affecting the MAC platform). No additional motion required.
CVE-2022-24527: Microsoft Endpoint Configuration Supervisor Elevation of Privilege. This main replace to this patch is a little bit of a large number. This patch was mistakenly allotted to the Home windows safety replace group. Microsoft has eliminated this Endpoint supervisor from the Home windows group and has offered the next choices to entry and set up this hot-fix:
Improve to Configuration Supervisor present department, model 2203 (Construct 5.00.9078), which is on the market as an in-console replace. See Guidelines for putting in replace 2203 for Configuration Supervisor for extra data.
Apply the hotfix. Prospects working Microsoft Endpoint Configuration Supervisor, variations 1910 by variations 2111 who aren’t in a position to set up Configuration Supervisor Replace 2203 (Construct 5.00.9078) can obtain and set up hot-fix KB12819689.
CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This replace now consists of protection for the next affected platforms: Home windows 10 model 1607, Home windows Server 2016, and Home windows Server 2016 (Server Core set up). No additional motion required.
CVE-2022-30190: Microsoft Home windows Assist Diagnostic Instrument (MSDT) Distant Code Execution Vulnerability. This patch is private — we have been affected by this subject with large server efficiency spikes. In case you are having issues with MSDT, you have to learn the MSRC weblog submit, which incorporates detailed directions on updates and mitigations. To resolve our points, we needed to disable the MSDT URL protocol, which has its personal issues.
I believe that we will safely work by the Visible Studio updates, and the Endpoint Configuration Supervisor adjustments will take a while to implement, however each adjustments should not have vital testing profiles. DCOM adjustments are totally different — they’re powerful to check and usually require a enterprise proprietor to validate not simply the set up/instantiation of the DCOM objects, however the enterprise logic and the specified outcomes. Guarantee that you’ve a full record of all functions which have DCOM dependencies and run by a enterprise logic check, or you could have some disagreeable surprises — with very difficult-to-debug troubleshooting situations.Mitigations and workaroundsFor this Patch Tuesday, Microsoft revealed one key mitigation for a severe Home windows vulnerability:
CVE-2022-30136: Home windows Community File System Distant Code Execution Vulnerability. That is the primary time I’ve seen this, however for this mitigation, Microsoft strongly recommends you put in the Could 2022 replace first. As soon as carried out, you may scale back your assault floor space by disabling NFSV4.1 with the next PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this alteration would require a restart of the goal server.Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Home windows (each desktop and server);
Microsoft Workplace;
Microsoft Trade;
Microsoft Growth platforms (ASP.NET Core, .NET Core and Chakra Core);
Adobe (retired???, possibly subsequent 12 months).
BrowsersWe are seeing a welcome development of fewer and fewer important updates to the whole Microsoft browser portfolio. For this cycle, Microsoft has launched 5 updates to the Chromium model of Edge. They’re all low threat to deploy and resolve the next reported vulnerabilities:A key issue on this downward development of browser associated safety points, is the decline and now retirement of Web Explorer (IE). IE is formally now not supported as of this July. The way forward for Microsoft’s browsers is Edge, based on Microsoft. Microsoft has offered us with a video overview of Web Explorer’s retirement. Add these Chromium/Edge browser updates to your normal software launch schedule.WindowsWith 33 of this month’s 55 Patch Tuesday updates, the Home windows platform is the first focus — particularly given the low-risk, low-profile updates to Microsoft Browsers, Workplace, and growth platforms (.NET). The Home windows updates cowl a broad base of performance, together with: NTFS, Home windows networking, the codecs (media) libraries, and the Hyper-V and docker elements. As talked about earlier, essentially the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment method, which is able to work properly for this month’s updates, primarily as a result of variety of core infrastructural adjustments that must be picked up in early testing. (Microsoft has revealed one other video in regards to the adjustments this month to the Home windows 11 platform, discovered right here.)Microsoft has mounted the widely-exploited Home windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite three important updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) results in a “Patch Now” suggestion. Microsoft OfficeMicrosoft launched seven updates to the Microsoft Workplace platform (SharePoint, Excel, and the Workplace Core basis library), all of them rated essential. The SharePoint server updates are comparatively low threat, however would require a server reboot. We have been initially apprehensive in regards to the RCE vulnerability in Excel, however on evaluation it seems that the “distant” in Distant Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; on condition that it requires consumer interplay and entry to a neighborhood goal system, it’s a much-reduced threat. Add these low-profile Workplace updates to your normal patch deployment schedule.Microsoft Trade ServerWe have a SQL server replace this month, however no Microsoft Trade Server updates for June. That is excellent news.Microsoft growth platformsMicrosoft has launched a single, comparatively low-risk (CVE-2022-30184) replace to the .NET and Visible Studio platform. In case you are utilizing a Mac (I like the Mac model of Code), Microsoft recommends that you just replace to Mac Visible Studio 2022 (nonetheless in preview) as quickly as attainable. As of July (sure, subsequent month) the Mac model of Visible Studio 2019 will now not be supported. And sure, shedding patch assist in the identical month as the subsequent model is launched is tight. Add this single .NET replace to your normal growth patch launch schedule.Adobe (actually, simply Reader)There are not any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a safety bulletin for his or her different (non-Acrobat or PDF associated) functions — all of that are rated on the lowest degree 3 by Adobe. There will probably be loads of work with printers within the coming weeks, so this can be a welcome aid.
Copyright © 2022 IDG Communications, Inc.