Patch Tuesday gets off to a busy start for January

For this week’s Patch Tuesday, the first of the year, Microsoft addressed 97 security issues, six of them rated critical. Though six vulnerabilities have been publicly reported, I do not classify them as zero-days. Microsoft has fixed a lot of security related issues and is aware of several known issues that may have inadvertently caused significant server issues including:

  • Hyper-V, which no longer starts with the message, “Virtual machine xxx could not be started because the hypervisor is not running.”
  • ReFS (Resilient) file systems that are no longer accessible (which is kind of ironic).
  • And Windows domain controller boot loops.

There are a variety of known issues this month, and I’m not sure whether we’ll see more issues reported with the January server patches. You can find more information on the risk of deploying these latest updates with our helpful infographic.

Key testing scenarios

There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature added.

  • Test local and remote printing and test printing over RDP.
  • Test site-to-site VPN, including new and existing connections.
  • Test reading or processing ETL files.
  • Check starting and stopping Hyper-V on your servers.
  • Run Transactional NTFS (TxF) and CLFS test scenarios while including tests for ReFS file I/O transfers.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the company’s latest builds, including:

  • SharePoint Server: Most users cannot access Web.config files in SharePoint Server. The affected group of users does not include farm administrators, local administrators, or members who are managed by the system. For more information, see Users cannot access Web.config files in SharePoint Server (KB5010126).
  • After installing the June 21, 2021 (KB5003690) update, some devices cannot install new ones, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For more information and a workaround, see KB5005322.
  • After installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server being used as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume Licence Key (CSVLK). Microsoft is working on a resolution and will provide an update in an upcoming release.
  • After installing this Windows update, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication. You might receive the prompt, “Your credentials did not work. The credentials that were used to connect to [device name] did not work. Please enter new credentials” and “The login attempt failed” in red. This issue is resolved using Known Issue Rollback (KIR). For general information on using Group Policies, see Group Policy Overview; we have listed the following group policy installation files in the event that a KIR procedure is required: Windows Server 2022; Windows 10, version 2004; Windows 10, version 20H2; and Windows 10, version 21H1.
  • After installing KB4493509, devices with some Asian language packs installed may see the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.
  • After installing Windows 11, some image editing programs might not render colors correctly on certain high dynamic range (HDR) displays.

Microsoft is working on the Windows 11 issues, but has yet to respond to the Hyper-V, ReFS, or Domain Controller problems. One of the best ways to see whether known issues might affect your target platform is to check out the many configuration options for downloading patch data at the Microsoft Security Update guidance site or the summary page for this month’s security update.

Major revisions

Microsoft has not released any major revisions (or minor documentation changes) for the January Patch release.

Mitigations and workarounds

Although there are no published mitigations or workarounds relating to the January patches, we expect a response from Microsoft to the Server 2022 patch-related issues within the next few days.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired???, maybe next year).

Browsers

This month sees a mixed bag of updates for Microsoft browsers. Though we don’t get any patches for the legacy browsers, Microsoft has released five updates that are specific to the Chromium version of Edge. In addition to these changes, the Chromium project has released a further 24 updates to the Chromium browser core. You can find more information about the Microsoft updates here, with the release notes for the Chromium project updates found here. Microsoft has published detailed information on the Microsoft Edge-specific issues (found in the Security Update Guide) while Google refrains from publishing detailed security and vulnerability information until all patches are released.

Add these Chrome (Edge and Chromium) updates to your regular scheduled update release schedule.

Windows

This is a significant update to the Windows platform with seven updates rated critical, and a hefty 80 patches rated as important. There are now several reported issues with this month’s server patches affecting (probably all) Windows domain controllers. If you are seeing the following error message post update — “The system process ‘C:\Windows\system32\lsass.exe’ terminated unexpectedly with status code -1073741819. The system will now shut down and restart.” — you are not alone. There are also significant numbers of reports that virtual machines on recently updated Hyper-V do not start.

Normally, we would recommend a significant testing cycle before a production release of Windows updates. However this month’s update addresses CVE-2022-21907 “which is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds”, said Danny Kim, principal architect at Virsec. The CVE is the latest example of how software capabilities can be warped and weaponized; it  targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata by providing a specially crafted message that can lead to remote code execution.

Microsoft says this vulnerability is “wormable” so we recommend that you add this month’s Windows update to your “Patch Now” schedule.

Windows Testing Guidelines

  • Test your IME with both English and Asian language packs.
  • Remote Desktop: A client should be able to connect to the RDP host and be able to redirect drives, audio, clipboard and to printers.
  • Test CLFS Logs: (“CRUD”) Create a log, read from a log, and update a log.
  • Networking: Send and receive large size files to other nodes using IPv4 and IPv6.
  • Test NTFS using short name related scenarios.

This month’s Windows patches included a major update to NTFS (with no functional changes); for more information and suggested testing scenarios, refer to the Microsoft document Transactional NTFS (TxF).

Microsoft Office

Microsoft has released four updates for the venerable Office productivity suite (one rated critical, the remaining three, important). The critical patch (CVE-2022-21840) addresses a remote code execution vulnerability in the Microsoft Core libraries that (thankfully) requires user interaction such as the following scenario by Microsoft: “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.” So, it’s 2022 and by clicking on an email, we can just give it all away.

Microsoft has confirmed that these four patches fully address the issue, so please add this update to your standard Office patch release schedule.

Microsoft Exchange Server

There are three updates to the Microsoft Exchange Server platform this month. With two rated as important (CVE-2022-21969 and CVE-2022-21855), the focus should be on the critical patch CVE-2022-21846. This vulnerability has a very high CVSS rating of 9.0. However, the risk of exploitation is much reduced due to the propagation nature of this vulnerabilities’ attack vector. To be successful, an attacker must be present on the network or able to access an adjacent component on the target system (such as Bluetooth).

Microsoft offered the following testing guidelines for these three patches, which include:

  • Test OWA scenarios with http and (secure) https URLs.
  • Test new Exchange “site mailbox” creation(s).

Fortunately, we are not expecting the challenging configuration issues this month that we’ve seen in past updates. So, “test before deploy” and add these Exchange updates to your standard server update schedule.

Microsoft development platforms

For this cycle, Microsoft released a single update (CVE-2022-21911) rated as important for its development platforms. This denial-of-service attack does not require user interaction or admin privileges to succeed in compromising a target system. Microsoft has published an official fix for the issue, which may affect .NET COM servers and REGEX expressions. These components will need some testing before deployment of the singular .NET update. You may also have to download these and future updates in a separate file for .NET 4.8 patches.

Microsoft has published a blog on .NET 4.8 release cadences and methodologies. Add this update to your regular patch release schedule.

Adobe (really just Reader)

It’s back with a vengeance! Adobe has published so many vulnerabilities for its Adobe Reader (and Acrobat) products, I initially thought that the long list of memory related issues addressed the entire Adobe suite.

Nope.

Adobe Reader has seen no less than 26 updates, with 15 rated critical, three as important, and another seven as moderate. All versions are affected, and all currently supported platforms will require an update. You can read more about this (very) long list of updates here. Add these Adobe updates to your “Patch Now” schedule.