With 55 updates, three publicly reported vulnerabilities and reported public exploits for Adobe Reader, this week’s Patch Tuesday update will require some time and testing before deployment. There are some tough testing scenarios (we’re looking at you, OLE) and kernel updates make for risky deployments. Focus on the IE and Adobe Reader patches — and take your time with the (technically challenging) Exchange and Windows updates.
Speaking of taking your time, if you’re still Windows 10 1909, this is your last month of security updates.
The three publicly disclosed vulnerabilities this month include:
- CVE-2021-31204 – .NET and Visual Studio Elevation of Privilege Vulnerability Important
- CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass
- CVE-2021-31200 – Common Utilities Remote Code Execution Vulnerability Important
You can find this information summarized in this infographic.
Key Testing Scenarios
There are no reported high-risk changes to the Windows platform this month. For this patch cycle we have divided our testing guide into two sections:
- The main scenario to be tested is to convert legacy documents (*.doc) that contain shapes and pictures to the modern document format (*.docx). The change is in wordconv.exe.
- Test loading and adding charts, with the all important File/Open/Print/Save (FOPS) testing regime.
- For Sharepoint, test adding webparts to a TEST site, in particular the DataFromWebPart
Windows desktop and server platforms
- Bluetooth: external dongles (IrDA connections and mice especially) will need a connection test.
- Fonts will need a test, particularly private fonts (a FOPS test will probably suffice).
- Test folder redirection, noting any I/O performance issues.
And here’s the testing scenario that should bring joy to the hearts of all desktop (and server) engineers: you need to test OLE automation this month. What does this mean? Roughly it translates to finding (and testing) the key business logic in core, internally developed business-critical apps that rely on complex, multiple, interdependent components that sometimes need a remote service from a little-known server that is still running a very, very specific version of Visual Basic 5.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:
- System and user certificates might be lost when updating a device from Windows 10 1809 or later to a newer version of Windows 10. Devices will only be impacted if they have already installed any latest cumulative update (LCU) released Sept. 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source [that] does not have an LCU released Oct. 13, 2020 or later integrated.
- Devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
You can also find Microsoft’s summary of known issues for this release in a single page.
Microsoft has not (as of May 14) published any major revisions for this Update Tuesday release.
Mitigations and Workarounds
So far, it does not appear that Microsoft has published any mitigations or work-arounds for this April release.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (Including Web Apps and Exchange);
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (Reader, yes Reader).
Browser updates are back with a vengeance. And, this time it’s personal. Holy cow: 35 critical updates for Edge (the Chromium version) and a critical update for Internet Explorer 11 (IE11). All of the reported vulnerabilities could lead to a remote code execution scenario. All of them.
The Chromium updates should be relatively easy to deploy due to the Chromium project’s separation from the desktop operating system. The IE11 update is a complete refresh of the binaries. Any legacy apps will need to be tested against this new build. Add this update to your Patch Now release effort.
Microsoft released three updates rated as critical and 22 rated as important for this cycle. The critical patches address issues in Hyper-V, how Windows handles HTTP requests, and OLE automation server issues. We don’t see an urgent need to rate these reported vulnerabilities as “Patch Now,” and we think that some testing will be required before production deployment. Further adding to these concerns, Microsoft has published a few minor UI issues with this update:
“The May Windows update might cause scroll bar controls to appear blank on the screen and not function. This issue affects 32-bit applications running on 64-bit Windows 10 (WOW64) that create scroll bars using a superclass of the USER32.DLL SCROLLBAR window class. In addition, a memory usage increase of up to 4 GB might occur in 64-bit applications when you create a scroll bar control.”
This month’s security updates cover the following core Windows functional areas:
- Windows App Platform and Frameworks;
- Windows Kernel;
- Microsoft Scripting Engine;
- Windows Silicon Platform.
The patch that wins the highest rating this month is CVE-2021-31194 — a serious vulnerability in the Microsoft OLE automation engine. This update will be a tough one to test as you will need to find an application with an OLE server and compare the results across the two builds. Microsoft has also provided some guidance on removing remote access to JET databases, whichcan be found here. Add these Windows updates to your standard release cycle with an emphasis on testing your core business apps for OLE, JET, and Hyper-V dependencies.
This month’s patches and updates to the Microsoft Office productivity platform affect the following baseline versions:
- Office 2013 (client): SP1 – 15.0.4569.1506;
- SharePoint 2013 (server): SP1 – 15.0.4569.1506 and 15.0.4571.1502;
- Office 2016 (client): RTM – 16.0.4266.1001;
- SharePoint 2016 (server): RTM – 16.0.4351.1000.
We get an easy ride this month with Office patches. No critical rated vulnerabilities and only 17 rated important. If you are still using JET databases, you will need to ensure that you have removed remote access with this support note from Microsoft. Add these relatively minor patches to your standard Office update schedule.
After you have updated Adobe Reader (see below), you will need to spend some time with Microsoft’s latest Exchange server update. With three updates rated as important, and a single patch published as moderate, this update cycle is paired with some serious spoofing and security bypass issues.
Microsoft has released the following note on the technical challenge of updating your Exchange server, including, “When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.”
Take your time, these issues are not time-sensitive (like last month). We are still hearing and experiencing Exchange server update issues and though we don’t expect compatibility or functionality issues with this Exchange update, getting the logistics right with this May update may require some thinking. Add this Exchange Server update to your regular patch release regime.
Microsoft development platforms
Microsoft has published five development tool updates — all rated as important — affecting Visual Studio and Microsoft .NET (which has an inter-linking dependency back to Visual Studio). The following specific product groups are patched this month:
- Visual Studio Code Remote – Containers Extension;
- Microsoft Visual Studio 2019;
- .NET 5.0 and .NET Core 3.1.
The update to Visual Studios Container component (CVE-2021-31204) probably requires the most attention this month, due to the public reporting of this remote code execution vulnerability. The remaining four issues require user interaction and local access to the target system (hence, the important rating from Microsoft). Add these updates to your standard development update release cycle.
Adobe (this month it’s Reader, Adobe Reader)
While Microsoft has not included an Adobe patch in its release cycle, there has been a critical patch to Adobe Reader in Adobe’s latest patch update. Adobe has reported that the vulnerability CVE-2021-28550 has been exploited in the wild. Unfortunately, this makes the Adobe issue a zero-day that affects all Microsoft devices with a remote code execution vulnerability that could result in complete access to the compromised system.
Add the Adobe Reader update to your “Patch Now” release schedule. And, yes, I really did think that we could retire this section. Maybe next time.