With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday release gets a “Patch Now” priority. Key testing areas include printing, Microsoft Word, and in general application un-installations. (The Microsoft Office, .NET and browser updates can be added to your standard release schedules.)
High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require the creation of new testing plans:
- Test these newly-released functionality updates. Please attach a camera or phone to your PC and use the Photos import function to import images and videos.
- Basic printing tests are required this month due to functionality changes in the Windows spooler controller.
- Microsoft Office: Conduct basic testing on Word, PowerPoint, and Excel with a focus on SmartArt, diagrams, and legacy files.
- Test your Windows error logs, as the Windows Common Log File system has been updated.
- Validate domain controller authentication and domain related services such Group Managed Service accounts. Include on-premise and off-premise testing as well.
- High-duration VPN testing is required, with VPN testing cycles that need to exceed eight hours on both servers and desktops. Note: you will need to ensure that PKE fragmentation is enabled. We suggest the following PowerShell command:
HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force Restart-Service remoteaccess
- Test any application using the OLE DB interface and sqloledb.dll to make database connections. This process will require an assessment of your application portfolio, looking for dependencies on the SQL OLE libraries and components and focused testing on application functionality that uses these updated features.
- Application un-installations will require testing due to changes in the Enterprise Application Management windows component. The big challenge here is to test that an application package has been fully uninstalled from a machine, meaning all the files, registry, services and shortcuts have been removed. This includes all the first-run settings and configuration data related to application. This is a tough, time-consuming task that will require some automation to ensure consistent results.
Known issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.- Microsoft SharePoint Server: Nintex Workflow customers must take additional action after this security update is installed to make sure workflows can be published and run. For more information, please refer to this Microsoft support document.
- After installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found. For more information about the specific errors, cause, and workaround, see KB5003571.
- Some enterprise users may still be experiencing issues with XPS Viewers. A manual re-install will likely resolve the issue.
Major revisions
As of Sept. 16, Microsoft has not published any major revisions to its security advisories.Mitigations and workarounds
There are four mitigations and workarounds included in this Patch Tuesday release, including:- CVE-2022-35838: A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled. Currently, enabling HTTP/3 is done via a registry key as discussed in this article: Enabling HTTP/3 support on Windows Server 2022
- CVE-2022-34718: Please note that this security vulnerability is not affected if IPv6 is not enabled on the target machine.
- CVE-2022-34691: Microsoft has published supplementary documentation on certificate-based authentication changes for Windows domain controllers.
- CVE-2022-33679: For customers running Server 2012 and those who use the Kerberos Armour service, there is an option to use Flexible Authentication Secure Tunnelling (FAST) that fully mitigates this Kerberos vulnerability. Microsoft has also published useful support documentation detailing different approaches to access control using Kerberos.
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
Browsers
Microsoft has released a single update to the Edge browser (CVE-2022-38012) that has been rated as low ,even though it could lead to remote code execution scenario due to its difficult exploitation chain. In addition, there are 15 updates to the Chromium project. Slightly out of sync with Patch Tuesday, Microsoft released the latest version of the Edge Stable channel on Sept. 15 that contains a fix for CVE-2022-3075. You can read more about this update’s release notes and can find out more about Chromium updates. Add these low-profile browser updates to your standard release schedule. Note: you will have to deploy a separate application update to Edge — this may require additional application packaging, testing, and deployment.Windows
Microsoft addressed three critical issues (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 issues rated important this month. This is another broad update that covers the following key Windows features:- Windows Networking (DNS, TLS and the TCP/IP stack);
- Cryptography (IKE extensions and Kerberos);
- Printing (again);
- Microsoft OLE;
- Remote Desktop (Connection Manager and API’s).