Microsoft delivers a solid, low-impact Patch Tuesday

• The comparison
• News & Updates
• Microsoft delivers a solid, low-impact Patch Tuesday

March brings us a robust set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues that require a "Patch Now" release schedule (although Microsoft Exchange will require a technical effort this month, this). We have published testing guidelines, focusing on printing, remote desktop over VPN connections, and server-based network changes. We also recommend that you test your Windows installation packages with an emphasis on restore and uninstall functionality.

You can find more information about the risk of implementing these Patch Tuesday updates with this helpful infographic. And, if you're looking for more information on .NET updates, there's an excellent article from Microsoft that highlights this month's changes.

Main test scenarios

At least one high-risk change to the Windows platform was reported in March. We've included the following rough testing guidelines based on our analysis of changed files and content from this month's Windows and Office updates:

• (High risk): Test your network printers via RDP (Remote Desktop Protocol). Microsoft has not released any functional changes for this month's update as the changes are due to security concerns.
• Printer driver V4, remote printing and redirected network-based printer(s).
• Test your backup and restore processes when using Encrypting File Systems (EFS).
• Verify that your VPNs authenticate correctly via Point-to-Point Tunneling Protocol (PPTP).
• Test your Windows error reporting processes with Create/Read/Update/Delete (CRUD) for all log files.
• Locate application references to NtAlpcCreatePort on your Windows servers and validate the results of your application.

If you have time, it might be worth experimenting with UNC paths to DOS boxes (due to various changes to the network and authentication stack). There was also an update to the FastFAT system driver and End User Defined Character (EUDC) support. Microsoft has now included the deployment and restart requirements for this March 2022 Update on a single page.

Known issues

Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that cycle. There's more than usual this time around, so I've mentioned a few key issues with the latest Microsoft releases, including:

• After you install this update, when you connect to devices in an untrusted domain using Remote Desktop, connections may not be authenticated when you use smart card authentication. You may get a "Your credentials didn't work" message. Starting last month, Microsoft has released a series of GPO files that address this issue, including: Windows Server 2022 and Windows 10.
• After installing updates released on or after January 11, applications that use the Microsoft .NET Framework to acquire or establish trust information from the Active Directory forest by using the System.DirectoryServers API may fail or generate an error message.

There was an issue pending from the January update cycle where the DWM.EXE executable crashes after installing KB5010386. This problem is solved now. If you're looking for more data on these types of reported issues, an excellent resource from Microsoft is the Microsoft Health Center; in particular, you can read about Windows 10 and Windows 11 known issues and their current status.

Important revisions

Although there is a much smaller list of patches for this patch cycle, Microsoft has released several revisions of previous patches, including:

• CVE-2021-3711: This is a Visual Studio November 2021 update. A new build has been updated to include support for the latest versions of Visual Studio 2022. No further action is required.
• CVE-2021-36927 – This updated patch resolves a TV tuner codec issue in 2021. Microsoft has released an updated set of documentation for this, noting that the patch is now official and fully resolves the reported issue. No further actions are required.

Mitigation and Workarounds

This month, Microsoft did not release any mitigations or workarounds for Windows, Microsoft Office, browser, or developer platform updates and fixes. There is an ongoing list of mitigations and updates related to known issues in Microsoft Exchange (these are included in our Exchange section).

Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (desktop and server);
• microsoft office;
• Microsoft Exchange;
• Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

browsers

Following a trend set by Microsoft in recent months, only the Chromium Edge browser has been updated. With no critical updates and 21 reported vulnerabilities that Microsoft considers important, this is another easy update cycle. In addition to fixing potential issues with the Brotli compression engine, you should be able to deploy browser updates on your normal release schedule.

the Windows

Following the trend of fewer updates (in number and type) this month, Microsoft released only two critical updates (CVE-2022-22006 and CVE-2022-24501). Neither update is likely to affect the major platforms, as each fixes a unique video codec and Microsoft Store component. Microsoft considers the remaining 40 patches to be important, and they update the following core Windows components:

• Remote Desktop Client (RDP);
• Windows Error Log (updated monthly this year);
• Networks (SMB and PTPTP);
• Windows Update and Windows Installer.

You may want to add Windows Installer testing to your testing regimen this month. Please add these Windows updates to your standard release schedule.

microsoft office

If you've ever looked for a "low risk" patch profile for Microsoft Office, this month's updates are a great candidate. Microsoft has released six patches for Office, all of which are considered important. More importantly, they affect Skype (which isn't that big of a deal) or the Click-to-Run (CTR) installation of Office. The CTR version is the virtualized standalone version of the Office installation that is streamed to the target system. By design, these installations have little to no effect on the operating system, and given the nature of the changes made this month, there is very little risk of implementation. Add these Office updates to your standard deployment schedule.

Microsoft Exchange Server

Finally, a critical Microsoft vulnerability. No wait! Shit, that's for Exchange. Microsoft Exchange is in the bad books this month with one of the few critical vulnerabilities (CVE-2022-23277). Of the two Exchange-related fixes for March, the other (CVE-2022-24463) is considered important and could lead to a potential credential theft scenario. The critical issue is considered highly exploitable, but requires the attacker to be authenticated. This is not a "vertible" vulnerability, so we recommend adding Microsoft Exchange updates to your standard server implementation. This update will require a reboot of your servers. There have been several issues posted with recent updates to Microsoft Exchange, so we've included a list of known issues when upgrading your Exchange servers, including:

When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not updated correctly.

Exchange services may remain in a disabled state after you install this security update. To resolve this issue, start the update process as an administrator.

When you block third-party cookies in a web browser, you may be continually prompted to trust a particular plugin, even if you continue to select the option to trust it.

When you try to request free/busy information for a user in a different forest in a trusted inter-forest topology, the request fails with a "(400) Bad Request" error message.

Microsoft has released a fix for the "400 Bad Request" error.

Microsoft development platforms

Microsoft released just four updates to its developer platforms in March, all of which were deemed significant. Two patches are for the .NET platform (CVE-2022-24512 and CVE-2022-24464), both of which require user interaction to deliver their payload, leading to a worst-case escalation attack. Google raised the Microsoft patch that may give you a headache in 2020 (hence its CVE ID of CVE-2020-8927). This Brotli Patch Tuesday update may affect the way your web pages are compressed (note that I didn't say "compressed"). Before deploying this update, quickly scan your internal web pages and browser-based applications with Brotli for adverse effects on CSS and JavaScript decompression (hint, hint). If not, add these updates to your standard patch schedule.

Adobe (really only Reader)

Just like last month, Adobe has not released any updates or patches for the Adobe Reader product lines. This is good news and hopefully part of a larger trend. Hopefully, Adobe Reader updates will follow the same patch as Microsoft's browser patches (a diminishing number of critical updates) and then, as with the Microsoft Chromium browser, we'll only see a few security issues deemed important both by the community as well as by Microsoft. . Adobe has released some fixes for its Photoshop, After Effects, and Illustrator products. However, these updates are product focused and should not impact overall desktop/server patch deployment schedules.

Copyright © 2022 IDG Communications, Inc.