On Tuesday, MIcrosoft rolled out another broad series of updates across its Windows ecosystems, including four vulnerabilities affecting Windows that have been publicly disclosed and one security flaw — reportedly exploited already — that affects the Windows kernel. That means the Windows updates get our highest “Patch Now” rating, and if you have to manage Exchange servers, be aware that the update requires additional privileges and extra steps to complete.
It also looks as if Microsoft has announced a new way to deploy updates to any device, wherever it is located, with the Windows Update for Business Service. For more information on this cloud-based management service, you can check out this Microsoft video or this Computerworld FAQ
Key testing scenarios
Due to the major update to the Disk Management utility this month (which we consider high-risk), we recommend testing partition formatting and partition extensions. This month’s update also includes changes to the following lower-risk Windows components:
- Check that TIFF, RAW, and EMF files render correctly due to changes in the Windows codecs.
- Test your VPN connections.
- Test creating Virtual Machines (VMs) and applying snapshots.
- Test creating and using VHD files.
- Ensure that all applications that rely on the Microsoft Speech API function as expected.
The Windows Servicing stack (including Windows Update and MSI Installer) was updated this month with CVE-2021-28437, so larger deployments may want to include a test of install, update, self-heal, and repair functionality in their application portfolio.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the latest builds from Microsoft, including:
- When using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually. In addition, after installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” Microsoft is working on a resolution and will provide an update in an upcoming release.
- Devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. If you need to broadly deploy the new Edge for business, see Download and deploy Microsoft Edge for business.
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
You can find Microsoft’s summary of known issues for this release in a single page.
For this April update cycle, Microsoft published a single major revision:
- CVE-2020-17049 – Kerberos KDC Security Feature Bypass Vulnerability: Microsoft is releasing security updates for the second deployment phase for this vulnerability. Microsoft has published an article (KB4598347) on how to manage these additional changes to your domain controllers.
Mitigations and workarounds
As of now, it does not appear Microsoft has published any mitigations or workarounds for this April release.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (Including Web Apps and Exchange);
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- And Adobe Flash Player (retiring),
For the past 10 years, we have reviewed potential impacts from changes to Microsoft browsers (Internet Explorer and Edge) due to the nature of interdependent libraries on Windows systems (both desktop and servers). Internet Explorer (IE) used to have direct (some would say too direct) integration with the OS, which meant managing any change in the OS (most problematically for servers). As of this month, this is no longer the case; Chromium updates are now a separate code-base and application entity and Microsoft Edge (Legacy) will now automatically be removed and replaced with the Chromium code-base. You can read more about this update (and removal) process online.
I think this is welcome news, as the constant recompiles of IE and the subsequent testing profile were a heavy burden for most IT admins. It’s also nice to see that the Chromium update cycle is moving from a six-week cycle to a four-week cycle in tune with the Microsoft update cadence. Given the nature of these changes to the Chromium browser, add this update to your standard patch release schedule.
This month, Microsoft worked to address 14 critical vulnerabilities in Windows and 68 remaining security issues rated as important. Two of the critical issues relate to Media Player; the remaining 12 relate to problems in the Windows Remote Procedure Call (RPC) function. We have broken down the remaining updates (including important and moderate ratings) into the following functional areas:
- Windows Secure Kernel Mode (Win32K);
- Windows Event Tracing;
- Windows Installer;
- Microsoft Graphics Component;
- Windows TCP/IP, DNS, SMB Server.
For testing these functional groups, refer to the recommendations detailed above. For the critical patches: testing Windows Media Player is easy, while testing RPC calls both within and between applications is another matter. To make matters worse, these RPC issues, though not worm-able, are serious individually and dangerous as a group. As a result of these concerns, we recommend a “Patch Now” release schedule for this month’s updates.
Microsoft Office (and Exchange, of course)
As we assess the Office Updates for each monthly security release, the first questions I usually ask of Microsoft’s Office updates are:
- Are the vulnerabilities low complexity, remote access issues?
- Does the vulnerability lead to a remote code execution scenario?
- Is the Preview Pane a vector this time?
Fortunately this month, all of the four issues addressed by Microsoft this month are rated as important and have not landed in any of the above three “worry bins.” In addition to these security basics, I have the following questions for this April Office update:
- Are you running ActiveX Controls?
- Are you running Office 2007?
- Are you experiencing language related side effects after this month’s update?
If you are running ActiveX controls, please don’t. If you are running Office 2007, now is a really good time to move to something supported (like Office 365). And, if you are experiencing language issues, please refer to this support note (KB5003251) from Microsoft on how to reset your language settings post-update. The Office, Word, and Excel updates are major updates and will require a standard testing/release cycle. Given the lower urgency of these vulnerabilities, we suggest you add these Office updates to your standard release schedule.
Unfortunately, Microsoft Exchange has four critical updates that need attention. It’s not super urgent like last month, but we have given them a “Patch Now” rating. Some attention will be required when updating your servers this time. There have been a number of reported issues with these updates when applied to servers with UAC controls in place.
When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. Make sure to run this update as an administrator or your server may be left in a state between updates, or worse in a disabled state. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web (OWA) and the Exchange Control Panel (ECP) might stop working.
This month, a reboot will definitely be required for your Exchange Servers.
Microsoft development platforms
Microsoft has released 12 updates, all rated as important for April. All of the addressed vulnerabilities have a high CVSS rating of 7 or above and cover the following Microsoft product areas:
- Visual Studio Code – Kubernetes Tools;
- Visual Studio Code – GitHub Pull Requests and Issues Extension;
- Visual Studio Code – Maven for Java Extension.
Looking at these updates and how they have been implemented this month, I find it hard to see how there could be an impact beyond the very minor changes to each application. Microsoft has not published critical testing or mitigation for any of these updates, so we recommend a standard “Developer” release schedule for them.
Adobe Flash Player
I can’t believe it. No further word on Adobe updates. No crazy Flash vulnerabilities to hijack your schedule this month. So, in the words of my favorite news reader, No Gnus is good Gnus.
We will retire this section next month and break out the Office and Exchange updates into separate sections for easier readability.