Microsoft lanzó 50 actualizaciones esta semana para abordar las vulnerabilidades en los ecosistemas de Windows y Office. La buena noticia es que no hay actualizaciones de Adobe o Exchange Server este mes. La mala noticia es que hay correcciones para seis exploits de día cero, incluida una actualización crítica del Componente principal de representación web (MSHTML) para Windows. Hemos agregado las actualizaciones de Windows de este mes a nuestro programa "Parchear ahora", mientras que las actualizaciones de Microsoft Office y la Plataforma de desarrollo pueden implementarse bajo sus regímenes de lanzamiento estándar. Las actualizaciones también incluyen cambios en Microsoft Hyper-V, bibliotecas criptográficas y Windows DCOM, todos los cuales requieren pruebas antes de la implementación.
You can find this summarized information in our infographic.
Key test cases
No high-risk changes to the Windows platform were reported this month. For this patch cycle, we have divided our testing guide into two sections: Changes to Microsoft OLE and DCOM components are the most technically challenging and require the most business expertise to debug and implement. DCOM services are not easy to create and can be difficult to maintain. As a result, they are not the first choice for most companies to grow internally. If there is a DCOM server (or service) within your IT group, that means it must be there, and some parts of the core business will depend on it. To manage the risks of this June update, I recommend that you have your list of applications with DCOM components ready, have two builds (pre- and post-update) ready for side-by-side comparison. And plenty of time to test and update your codebase as needed.
Known issues
Every month Microsoft includes a list of known operating system and platform issues included in this update cycle. Here are some key issues with the latest versions from Microsoft, including:
- Like last month, system and user certificates can be lost when upgrading a device from Windows 10 version 1809 or later to a newer version of Windows 10. Microsoft has not released any more tips on shared upgrade to a version later of Windows 10.
- There is an issue with the Japanese Input Method Editor (IME) that generates incorrect Furigana text. These problems are quite common with Microsoft updates. IMEs are quite complex and have been a problem for Microsoft for years. Expect an update for this Japanese character issue later this year.
- In a related issue, after installing KB4493509, devices with some Asian language packs installed may see the error "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND". To resolve this issue, you will need to uninstall and then reinstall your language packs.
There have been several reports of ESU systems failing to complete Windows Updates in the past month. If you are using an older system, you will need to purchase an ESU key. Above all, it must be activated (for some there is a key step missing). You can learn more about how to activate your ESU upgrade key online. You can also find Microsoft's summary of known issues for this release on one page.
Important revisions
As of now, for this June cycle, there have been two major updates compared to the previous updates:
- CVE-2020-0835 - This is an update for Windows Defender anti-malware functionality in Windows 10. Windows Defender is updated monthly and generally generates a new CVE entry each time. Therefore, updating a Defender CVE entry is unusual (rather than just creating a new CVE entry for each month). This update (fortunately) refers to the associated documentation. No additional action is required.
- CVE-2021-28455: This hotfix refers to another documentation update for the Microsoft Red Jet database. This update (unfortunately) adds Microsoft Access 2013 and 2016 to the affected list. If you are using the Jet "Red" database (check your middleware), you will need to test and update your systems.
As an additional note regarding the Windows Defender update, given everything that is happening this month (six public exploits!), I highly recommend that you make sure Defender is up to date. Microsoft has released additional documentation on how to verify and enforce Windows Defender compliance. Why not do it now? It's free and Defender is pretty good.
Mitigations and solutions
So far, it doesn't appear that Microsoft has released any mitigations or workarounds for this June release. Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Internet Explorer and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired ???)
Browsers
It appears that we are back to our usual pace of minimal browser updates from Microsoft, as we only have one update from the Microsoft Chromium project (CVE-2021-33741). Microsoft deemed this browser update important because it can only cause an elevated privilege security issue and requires user interaction. Rather than use the Microsoft Security Portal to get better information on these browser updates, I have found the Microsoft Chromium Release Notes pages to be a better source for patch documentation. Given the nature of Chrome installation on Windows desktops, we would expect very little impact from the update. Add this browser update to your standard publishing program.
Microsoft Windows 10
This month, Microsoft released 27 updates to the Windows ecosystem, three of which were rated critical and the rest were rated important. This is a relatively small number compared to previous months. However, (and this is huge) I'm pretty sure we've never seen so many vulnerabilities being exploited or publicly disclosed. This month, six are confirmed as operated, including: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199, and CVE-2021-31201. To add to this month's numbers, two issues have also been publicly disclosed, including CVE-2021-33739 and CVE-2021-31968. That's a lot, especially for a month. The fix I'm most concerned about is CVE-2021-33742. It is considered critical because it can lead to arbitrary code execution on the target system and affects a core element of Windows (MSHTML). This web rendering component was a frequent (and preferred) target of attackers after the release of Internet Explorer (IE). Almost all (many, many) security issues and corresponding fixes affecting IE were related to the way the MSHTML component interacted with Windows Subsystems (Win32) or worse still, the Microsoft Script Object. Attacks against this component can lead to deep access to compromised systems and are difficult to debug. Even if we didn't have every exploit revealed or publicly confirmed this month, I'd still add this Windows update to the "Patch Now" release schedule.
Microsoft Office
Similar to last month, Microsoft released 11 major and one critical update for this release cycle. Again, we see Microsoft SharePoint updates as the main focus, with the critical patch CVE-2021-31963. Compared to some of the very concerning news this month for Windows Updates, these Office fixes are relatively complex to exploit and don't expose highly vulnerable vectors, such as Outlook preview panes, to attack. There have been a number of informational updates to these fixes over the past few days and it appears that there may be a problem with the SharePoint Server package updates; Microsoft posted the following error: "DataFormWebPart may crash when accessing an external URL and generates '8scdc' event tags in SharePoint Unified Logging System (ULS) logs." You can read more about this issue with KB 5004210. Plan to restart your SharePoint servers and add these Office updates to your standard publishing schedule.
microsoft Exchange
There is no Microsoft Exchange update for this cycle. This is a welcome relief from the past few months when critical updates required urgent fixes that have business-wide implications.
Microsoft development platforms
It's an easy month for Microsoft development platform updates (.NET and Visual Studio) with only two updates deemed important:
- CVE-2021-31938 - A complex and difficult to lead attack that requires local access and user interaction when using the Kubernetes tool extensions.
- CVE-2021-31957: This ASP.NET vulnerability is slightly more serious (it affects servers, rather than an extension of the tool). That said, it is still a complex attack that has been fully resolved by Microsoft.
Add the Visual Studio update to your standard developer launcher. I would add the ASP.NET update to your priority release schedule due to the increased exposure to the internet.
<p>Copyright © 2021 IDG Communications, Inc.</p>