Critical zero-days make September’s Patch Tuesday a ‘Patch Now’ release

With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month’s Patch Tuesday release gets a “Patch Now” priority. Key testing areas include printing, Microsoft Word, and in general application un-installations. (The Microsoft Office, .NET and browser updates can be added to your standard release schedules.)

High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require the creation of new testing plans:

• Test these newly-released functionality updates. Please attach a camera or phone to your PC and use the Photos import function to import images and videos.
• Basic printing tests are required this month due to functionality changes in the Windows spooler controller.

The following updates are not documented as functional changes, but still require a full test cycle:

• Microsoft Office: Conduct basic testing on Word, PowerPoint, and Excel with a focus on SmartArt, diagrams, and legacy files.
• Test your Windows error logs, as the Windows Common Log File system has been updated.
• Validate domain controller authentication and domain related services such Group Managed Service accounts. Include on-premise and off-premise testing as well.
• High-duration VPN testing is required, with VPN testing cycles that need to exceed eight hours on both servers and desktops. Note: you will need to ensure that PKE fragmentation is enabled. We suggest the following PowerShell command:
  HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force Restart-Service remoteaccess

In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios for this update:

• Test any application using the OLE DB interface and sqloledb.dll to make database connections. This process will require an assessment of your application portfolio, looking for dependencies on the SQL OLE libraries and components and focused testing on application functionality that uses these updated features.
• Application un-installations will require testing due to changes in the Enterprise Application Management windows component. The big challenge here is to test that an application package has been fully uninstalled from a machine, meaning all the files, registry, services and shortcuts have been removed. This includes all the first-run settings and configuration data related to application. This is a tough, time-consuming task that will require some automation to ensure consistent results.

Testing these important and often updated features is now a fact of life for most IT departments, requiring dedicated time, personal and specialised processes to ensure repeatable consistent results.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle.

• Microsoft SharePoint Server: Nintex Workflow customers must take additional action after this security update is installed to make sure workflows can be published and run. For more information, please refer to this Microsoft support document. 
• After installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found. For more information about the specific errors, cause, and workaround, see KB5003571.
• Some enterprise users may still be experiencing issues with XPS Viewers. A manual re-install will likely resolve the issue.

Starting at 12 a.m. Saturday, Sept.10, the official time in Chile advanced 60 minutes in accordance with the Aug. 9 announcement by the Chilean government of a daylight-saving time (DST) time zone change. This moved the DST shift from Sept. 4 to Sept. 10; the time change will affect Windows apps, timestamps, automation, workflows, and scheduled tasks. (Authentication processes that rely on Kerberos may also be affected.)

Major revisions

As of Sept. 16, Microsoft has not published any major revisions to its security advisories.

Mitigations and workarounds

There are four mitigations and workarounds included in this Patch Tuesday release, including:

• CVE-2022-35838: A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled. Currently, enabling HTTP/3 is done via a registry key as discussed in this article: Enabling HTTP/3 support on Windows Server 2022
• CVE-2022-34718: Please note that this security vulnerability is not affected if IPv6 is not enabled on the target machine.
• CVE-2022-34691: Microsoft has published supplementary documentation on certificate-based authentication changes for Windows domain controllers.
• CVE-2022-33679: For customers running Server 2012 and those who use the Kerberos Armour service, there is an option to use Flexible Authentication Secure Tunnelling (FAST) that fully mitigates this Kerberos vulnerability. Microsoft has also published useful support documentation detailing different approaches to access control using Kerberos.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

Microsoft has released a single update to the Edge browser (CVE-2022-38012) that has been rated as low ,even though it could lead to remote code execution scenario due to its difficult exploitation chain. In addition, there are 15 updates to the Chromium project. Slightly out of sync with Patch Tuesday, Microsoft released the latest version of the Edge Stable channel on Sept. 15 that contains a fix for CVE-2022-3075. You can read more about this update’s release notes and can find out more about Chromium updates. Add these low-profile browser updates to your standard release schedule.

Note: you will have to deploy a separate application update to Edge — this may require additional application packaging, testing, and deployment.

Windows

Microsoft addressed three critical issues (CVE-2022-34718, CVE-2022-34721 and CVE-2022-34722) and 50 issues rated important this month. This is another broad update that covers the following key Windows features:

• Windows Networking (DNS, TLS and the TCP/IP stack);
• Cryptography (IKE extensions and Kerberos);
• Printing (again);
• Microsoft OLE;
• Remote Desktop (Connection Manager and API’s).

For Windows 11 users, here is this month’s Windows 11 video update. The three critical updates all have NIST ratings of 9.8 (out of 10). Coupled with the three exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) these make this month’s Windows update a “Patch Now” release.

Microsoft Office

Microsoft released seven security patches to the Office platform affecting Visio, PowerPoint, SharePoint and SharePoint Server. The Microsoft Visio and PowerPoint updates are low-profile deployments that should be added to your standard Office update schedules. The SharePoint Server updates (CVE-2022-38008 and CVE-2022-37961) are not rated critical, but they could lead to a remote code execution scenario (though difficult to exploit). We recommend adding these two updates to your server update schedule, noting that all patched SharePoint Servers will require a restart.

Microsoft Exchange Server

Fortunately for us (and all IT admins) Microsoft has not published any security advisories for Microsoft Exchange products this month.

Microsoft Development Platforms

Microsoft published three updates rated important for their developer tools platform (CVE-2022-26929, CVE-2022-38013 and CVE-2022-38020) affecting Microsoft .NET and the Visual Studio platform. These three updates are relatively low risk to deploy and should be added to your standard developer release schedule.

Adobe (really just Reader)

Adobe published six security bulletins affecting: Animate, Bridge, Illustrator, InCopy, InDesign and RoboHelp. However, there were no updates to Adobe Reader or other related PDF products. This may be the result of Adobe being otherwise engaged with the $20 billion purchase of Figma.