Sin las graves preocupaciones de seguridad con los servidores de Microsoft Exchange locales (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857 y CVE-2021-26858), diría que las cosas se ven bastante bien para el parche. Martes de este mes. Todavía hay cosas que probar en el escritorio, incluida la impresión, las conexiones de escritorio remoto a través de VPN y las operaciones gráficas intensivas. Y aunque otras plataformas de desarrollo de menor calificación y las actualizaciones de Microsoft Office requieren una atención especial, no requieren una respuesta rápida y se pueden agregar al régimen de prueba regular y al ritmo de implementación.
I've included a helpful infographic that this month seems a bit lopsided (again), as all the focus should be on the Windows and Office components.
Key test cases
There are two updates for Microsoft Windows platforms this month that appear to be high risk, including:
- A change in the handling of the local printer driver (affected files include: localspl.dll and PrintFilterPipelineSvc.exe).
- A major update to the Windows system kernel (win32kbase.sys).
These two major changes affect all supported Microsoft Windows desktop and server platforms. Together with Microsoft, we have developed a system that goes through updates from Microsoft and compares all file changes (deltas) released each month against our test library. The result is a hot spot testing matrix that helps drive our portfolio testing process. This month, our analysis of this version of Patch Tuesday returned the following test cases:
- Test your local printers (usually your remote printers). Try your printer updates already installed on an updated machine, but the most important thing is to try to install a new printer driver (sorry Kyocera). The idea here is that 32-bit systems do not transmit information correctly to 64-bit drivers and cause BSOD. Testing can be done with simple applications such as Notepad. Which, of course, is quite disturbing when you think about it.
- Test your encrypted file system and RDS connections. Modifying the FIPS cryptographic components may require special attention. You can learn more about FIPS compliant encryption technology here.
Further down the priority list, we suggest that you test VPN connections, JPEG image file playback, and audio streaming (to make sure it still works as expected).
Known issues
Every month Microsoft includes a list of known operating system and platform issues included in this update cycle. I have touched on some key issues related to the latest versions of Microsoft, including:
- Windows 10 2004: System and user certificates can be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be affected if they have already installed the latest cumulative update (LCU) released on September 16, 2020 or later, and then upgrade to a later version of Windows 10 from an installation media or source that did not have an LCU released on October 13, 2020 or later integrated.
- Windows Server 2016: After installing KB4467684, the Cluster service might fail to start with error "2245 (NERR_PasswordTooShort)" if the "Minimum password length" group policy is set to more than 14 characters. Microsoft has released a workaround: "Set the default policy for the 'Minimum Password Length' domain to a value less than or equal to 14 characters."
You can also find Microsoft's Summary of Known Issues for this version on one page.
Important revisions
There have been a number of mid-month updates and patches to the documentation and information released for various versions of CVE, including: CVE-2021-24094 and CVE-2021-24086 (both fix a TCP remote code execution vulnerability / Windows IP). These reviews included only minor updates to the CVE input documentation; No additional action is required.
Mitigations and solutions
Like the mid-month fixes released in February by Microsoft, there is a short list of updates with mitigations or workarounds released:
- CVE-2021-24094, CVE-2021-24074, and CVE-2021-24086 – These two updates released workarounds related to running the following command "Netsh int ipv6 set global reassemblylimit = 0" on a target system. These updated changes are for documentation purposes only and should not affect the technical components involved.
If you addressed these suggested actions in February, no further action is required for this month's post. Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (desktop and server).
- Microsoft Office (including web and Exchange applications).
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe Flash Player (retirement).
Browsers
This month marks the first month that Microsoft has begun differentiating open source Chromium updates from standard browser fixes in the update release documentation. With only one (major) Microsoft Internet Explorer update (CVE-2021-27085), the vast majority of updates this month (33) are attached to the Chromium project. Since Microsoft's Edge isn't as integrated with the desktop (and, to a much lesser degree, with electronic server platforms), we don't see as many peer-level compatibility or update issues when updating their binaries. Microsoft Edge is pretty much designed to update without causing integration issues. Due to other low-impact Internet Explorer updates, we suggest that you add these updates to your standard update schedule.
Microsoft Windows
Unusually, we found that this month's Windows updates are not the focus. This remains a significant update for the Windows ecosystem, with one publicly reported exploit (CVE-2021-27077) in the GDI graphics subsystem, six updates rated critical, and 45 remaining fixes rated important. We also see many "areas" covered, including the core and GDI components that have historically caused compatibility issues. Below is a short list of critical updates and affected features: I recommend that you check out the following CVEs (all considered important by Microsoft) for potential application compatibility and/or integration issues: Some (potential) disruptors include CVE- 2021-1640 and CVE-2021-26878, both of which update the printing subsystem. Add this month's Windows Patch Tuesday updates to your "Test Before Deployment" update release schedule.
Microsoft Office (and Exchange, of course)
Microsoft has released 11 updates, all rated Important, for the Microsoft Office and SharePoint platforms, covering the following groups of applications or features: SharePoint, Excel, Visio, and PowerPoint. All 11 reported Microsoft Office vulnerabilities require local access and user interaction (no worms this month). Usually Excel security issues are a concern, but not this month. And if it weren't for the Exchange issues this month, I'd say these updates could be added to your standard Office update schedule without much hassle. However, we (now) have four very serious Microsoft Exchange issues that require immediate attention for all on-premises Exchange servers (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857, and CVE-2021-26858) . Microsoft updated these four critically urgent issues throughout the week, with each change adding to the potential scope of concerns. I think CISA's advice to "patch or disconnect your servers from the Internet" probably says enough about these serious vulnerabilities reported in locally installed Microsoft Exchange servers. Office 365, anyone? Get your Exchange servers fixed before your morning cup of tea, then add any remaining Office updates to your regular update schedule.
Microsoft development platforms
Microsoft has released six updates for Microsoft development platforms, one considered critical and the other five considered important. This one-time critical update is for local GIT components for Visual Studio, and all remaining major updates are for Visual Studio as well. We have reviewed each of these updates; The impact of integration is marginal and without a compelling event to generate a quick response, we suggest that you add them to your regular update schedule.
Adobe Flash Player
Is this the last we hear from Flash? I have said this before and (unfortunately) I have been corrected. Nothing to report from Microsoft for March. Let's see if we can remove this section in April.
<p>Copyright © 2021 IDG Communications, Inc.</p>