This is a relatively light update from Microsoft's Patch Tuesday, although two major vulnerabilities have been revealed on the Windows platform (CVE-2021-38631 and CVE-2021-41371), both related to protocol handling. Remote Desktop, which make it urgent to apply Windows updates. And we also have another technically difficult to manage update for Microsoft Exchange Server.
Pay close attention to Servicing Stack (SSU) updates this month as they can affect the way your apps are installed (with a particular focus on the uninstall process). Microsoft has already announced that there will be no Patch Cycle C release next month, which means that the December Patch Tuesday release is expected to be light. You can find more information about the risk of implementing these Patch Tuesday updates with this infographic.
Key test cases
No high-risk changes were reported on the Windows platform this month. However, there is a reported functional change and additional functionality:
- You will need to test your printers again. Try using Notepad first, then Adobe Reader (PDF) and include images (PNG, JPG, BMP). Testing is especially important if you have V3 printer drivers.
- If your business applications use COM (or God forbid DCOM), you will need a full penetration test. Changes to the COM STA thread model can lead to difficult troubleshooting situations.
- With Microsoft Movies and TV app, play MP4 videos and check for audio problems.
- You may not be using Internet Explorer (IE), but your applications may have dependencies on IE components (IEFRAME.DLL). Assess your application portfolio for this key dependency, then test the Office component integration issues and tabbed browsing.
- See also Microsoft Timeline, as there have been minor changes to the way your data is handled.
The biggest problem (or engineering task) this month is the need to validate that your applications install, repair, update and uninstall correctly. Check your Windows Installer logs (0 for success). I think it's a great job because we usually focus on installing applications; this time we have to look at how the applications are uninstalled. Once an application has been uninstalled, the target machine should be clean, error logs empty, and no corrupted applications. Doing this correctly will allow the next MSI installer update to work properly.
Known issues
Every month Microsoft includes a list of known operating system and platform issues included in this update cycle. Here are some key issues with the latest versions from Microsoft, including:
- After you install the June 21, 2021 update (KB5003690), some devices may not install new updates, such as the July 6, 2021 update (KB5004945) or later updates. You will receive the error message "PSFX_E_MATCHING_BINARY_MISSING". For more information and a workaround, see KB5005322.
- Some Windows 10 LTSC systems have issues after installing KB4493509. Devices with some Asian language packs installed may receive the error "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND". Microsoft is currently working on a fix.
- Windows print clients may experience the following errors when connecting to a shared remote printer on a Windows print server: 0x000006e4 (RPC_S_CANNOT_SUPPORT), 0x0000007c (ERROR_INVALID_LEVEL), 0x00000709 (ERROR_INVALID_PRINTER_NAME). Microsoft is working on this problem. We hope that there will be an OOB update to fix this issue before the December B release (Patch Tuesday). The good news is that most of these reported printer problems are related to corporate environments (for example, print servers combined with a domain controller); most home users will not be affected by security or printing problems.
After installing this month's update from Microsoft, connecting to devices in an untrusted domain using Remote Desktop may not authenticate when using chip-card authentication. You may get a "Your credentials didn't work" message. This issue is resolved by Known Issue Rollback (KIR), which is pretty exciting. Microsoft now allows policy-based managed code execution paths. If you run into any problems, you can override the execution path of the affected files, returning this snippet to a "pre-patch" state. To do this successfully, you must ensure that you have the correct policy files for your platform. You can find the relevant policy files for each version of Windows here:
One of the best ways to see if there are any known issues affecting your target platform is to review the many configuration options for downloading patch data from the Microsoft Security Update Tips site or the update summary page. security this month.
Important revisions
There are no major hotfixes (or even documentation updates) this month.
Mitigations and alternative solutions
As of November 12, Microsoft had not released any mitigation or fix for this month's update cycle.
Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired ???, not yet).
Browsers
Microsoft has released only one major update for Microsoft Edge. This patch is basically an update to the Chromium code, but it affects how Edge IE mode works. The potential business impact of this update is marginal, so please add this relatively simple update to your regular release schedule.
the Windows
The Microsoft Windows platform received 28 updates, three of which were considered critical and the remaining fixes were considered important. The biggest concern is the two publicly reported Remote Desktop Protocol (RDP) issues (CVE-2021-38631 and CVE-2021-41371). Microsoft has done a lot of work on RDP over the past year with major updates released with every Patch Tuesday. I've always had concerns about RDP, although Microsoft offers tips and tools to protect your remote offices. Given recent supply chain issues and the lack of fully integrated RDP alternatives, I think patching early and often is our best bet. Add these updates to your Windows "Patch Now" program.
Microsoft Office
Microsoft has released four updates, all of which are considered important. Affecting Access, Word, and Excel, these vulnerabilities require both local access to the target system and user interaction. Unfortunately, an Excel-related issue (CVE-2021-42292) has been reported as exploited (although logged by Microsoft as proof of concept). While these Office-related security issues cannot be "killed," exploiting a publicly reported remote code execution vulnerability significantly increases the risk for corporate customers. Add these updates to your "Patch Now" release schedule.
Microsoft Exchange Server
Microsoft released three major updates (CVE-2021-1349, CVE-2021-42305, CVE-2021-42321) for Exchange Server this month. All three updates refer to a single Knowledge Base (KB) article, KB5007049. These updates will require a server reboot and there is a high probability that this could cause the installation to fail or interrupt the Exchange server ("hang" as if there is no remote connection). There are a number of known issues with this update related to manual installations and UAC issues. Test this update thoroughly before any production deployment.
Microsoft development platforms
This month's update is a bit more interesting than usual. We have two updates (both considered important) for Visual Studio that could lead to elevation of privilege scenarios. And exceptionally, Microsoft added an August open source project vulnerability to the November update this month. The issue classified as critical in the OpenSSL cryptography framework (CVE-2021-3711) is consumed by Microsoft Visual Studio and was therefore considered a significant risk for Visual Studio users. That's a great call from Microsoft and it really shows their commitment to these kinds of open source projects. Add these updates to your regular developer deployment schedule.
Adobe (really only Reader)
This month, Adobe posted three lower-rated issues affecting its RoboHelp (APSB21-87), InCopy (APSB21-110), and Creative Cloud (APSB21-111) applications. Although there are no updates for Adobe Reader, we recommend that you test printing your PDF files due to changes in the Windows printing system. Also, you may need to verify that the automatic update feature still works in Adobe Reader after this month's update is installed.
Copyright © 2021 IDG Communications, Inc.