With 63 updates affecting Windows, Microsoft Office, and Visual Studio and .NET platforms, and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444), Tuesday's release of patches this month. gets a "Patch Now" priority. Primary areas of testing include printing, Microsoft Word, and general application uninstalls. (Microsoft Office, .NET, and browser updates can be added to their standard launchers.)
You can find more information about the risk of implementing these Patch Tuesday updates with this helpful infographic.
Main test scenarios
Given the large number of changes included in the September patch cycle, I divided the test cases into high-risk and standard-risk groups:
High risk: These changes are likely to include feature changes, may make existing features obsolete, and will likely require the creation of new test plans:
- Try these recently released feature updates. Connect a camera or phone to your PC and use the photo import feature to import images and videos.
- Basic print tests are required this month due to functionality changes in the Windows print spooler driver.
The following updates are not documented as functional changes, but still require a full test cycle:
- Microsoft Office – Take basic tests in Word, PowerPoint, and Excel with a focus on SmartArt, diagrams, and legacy files.
- Test your Windows error logs as the common Windows log file system has been updated.
- Validate domain controller authentication and domain-related services, such as group-managed service accounts. Also include onsite and offsite testing.
- Long duration VPN testing is required, and VPN test cycles are expected to exceed eight hours on servers and desktops. Note: You will need to make sure that PKE fragmentation is enabled. We suggest the following PowerShell command: "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIkev2" -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force Restart -Service remoteaccess
In addition to these changes and test requirements, I've included some of the more difficult test scenarios for this update:
- Try any application that uses the OLE DB interface and sqloledb.dll to establish database connections. This process will require an evaluation of your application portfolio, finding dependencies on SQL OLE components and libraries, and specific testing of application functionality using these updated features.
- Application uninstalls will require testing due to changes in the Enterprise Application Management component of Windows. The big challenge here is proving that an application package has been completely uninstalled from a machine, meaning that all files, registries, services, and shortcuts have been removed. This includes all first-run settings and configuration data related to the app. This is a difficult and time-consuming task that will require some automation to ensure consistent results.
Testing these important and frequently updated features is now a reality for most IT departments, requiring dedicated time, personal and specialized processes to ensure consistent and repeatable results.
Known issues
Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that update cycle.
- Microsoft SharePoint Server: Nintex Workflow customers should take additional steps after installing this security update to ensure that workflows can be published and run. For more information, see this Microsoft support document.
- After installing KB5001342 or later, the cluster service may not start because a cluster network driver could not be found. For more information on specific errors, causes, and solutions, see KB5003571.
- Some business users may still experience problems with XPS viewers. A manual reinstall is likely to fix the problem.
As of 12:00 noon on Saturday, September 10, the official time in Chile was advanced 60 minutes in accordance with the Chilean government's announcement on August 9 regarding the time zone change to Daylight Savings Time (DST). This moved the daylight saving time change from September 4 to September 10; the time change will affect Windows applications, timestamps, automation, workflows, and scheduled tasks. (Authentication processes that depend on Kerberos may also be affected.)
Important revisions
Since September 16, Microsoft has not released any major revisions to its security advisories.
Mitigation and Workarounds
There are four mitigations and workarounds included in this Patch Tuesday release, including:
Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (desktop and server);
- microsoft office;
- Microsoft Exchange;
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
browsers
Microsoft released a single Edge browser update (CVE-2022-38012) that was classified as weak despite the fact that it could lead to a remote code execution scenario due to its difficult exploit chain. Also, there are 15 Chromium Project updates. Slightly out of sync with Patch Tuesday, Microsoft released the latest version of the Edge Stable channel on September 15 that contains a fix for CVE-2022-3075. You can read more about the release notes for this update and read more about Chromium updates. Add these discrete browser updates to your standard launch schedule.
Note: You will need to deploy a separate app update to Edge; this may require additional application packaging, testing, and deployment.
the Windows
Microsoft fixed three critical issues (CVE-2022-34718, CVE-2022-34721, and CVE-2022-34722) and 50 issues rated important this month. This is another extended update that covers the following major Windows features:
- Windows Networking (DNS, TLS, and the TCP/IP stack);
- Cryptography (IKE and Kerberos extensions);
- Printing (again);
- Microsoft OLE;
- Remote Desktop (Connection Manager and API).
For Windows 11 users, here is this month's Windows 11 video update. The three critical updates have NIST ratings of 9.8 (out of 10). Together with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444), they make this month's Windows Update a "Patch Now" release.
microsoft office
Microsoft has released seven security patches for the Office platform that affect Visio, PowerPoint, SharePoint, and SharePoint Server. Microsoft Visio and PowerPoint updates are discrete implementations that should be added to your standard Office update schedules. SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) are not considered critical, but could lead to a remote code execution scenario (although difficult to exploit). We recommend that you add both updates to your server's update schedule, keeping in mind that all patched SharePoint servers will require a reboot.
Microsoft Exchange Server
Fortunately for us (and all IT administrators), Microsoft did not issue any security advisories for Microsoft Exchange products this month.
Microsoft development platforms
Microsoft has released three considered important updates to its developer tools platform (CVE-2022-26929, CVE-2022-38013, and CVE-2022-38020) that affect Microsoft .NET and the Visual Studio platform. These three updates have relatively low deployment risk and should be added to your standard developer release schedule.
Adobe (really only Reader)
Adobe has released six security bulletins related to: Animate, Bridge, Illustrator, InCopy, InDesign, and RoboHelp. However, there have been no updates to Adobe Reader or other related PDF products. This may be because Adobe has agreed to buy Figma for €20 billion.
Copyright © 2022 IDG Communications, Inc.