June’s Patch Tuesday updates, released on June 14, address 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (though there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows component, CVE-2022-30190, led to a “Patch Now” recommendation for Windows, while the .NET, Office and SQL Server updates can be included in a standard release schedule.
Key testing scenarios
Given the large number of changes included in this June patch cycle I have broken out the testing scenarios for high risk and standard risk groups.
These high-risk changes are likely to include functionality changes, may deprecate existing functions, and will likely require new testing plans. Test your signed drivers using physical and virtual machines, (BIOS and UEFI) and across all platforms (x86, 64-bit):
- Run applications that have binaries (.EXE and .DLL) that are signed and unsigned.
- Run drivers that are signed and unsigned. Unsigned drivers should not load. Signed drivers should load.
- Use SHA-1 signed versus SHA-2 signed drivers.
Each of these high-risk test cycles must include a manual shut-down, reboot, and restart. The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:
- Test remote Credential Guard scenarios. (These tests will require Kerberos authentication, and may only be used with the RDP protocol.)
- Test your Hyper-V servers and start/stop/resume your Virtual Machines (VM).
- Perform shadow copy operations using VSS-aware backup applications in a remote VSS deployment over SMB.
- Test deploy sample applications using AADJ and Intune. Ensure that you deploy and revoke access as part of your test cycle.
In addition to these standard testing guidelines, we recommend that all core applications undergo a testing regime that includes self-repair, uninstall, and update. This is due to the changes to Windows Installer (MSI) this month. Not enough IT departments test the update, repair, and uninstall functions of their application portfolio. It’s good to challenge each application package as part of the Quality Assurance (QA) process that includes the key application lifecycle stages of installation, activation, update, repair, and then uninstall.
Not testing these stages could leave IT systems in an undesirable state — at the very least, it will be an unknown state.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms affected this cycle. This month, there are some complex changes to consider, including:
- After installing this June update, Windows devices that use certain GPUs might cause applications to close unexpectedly or cause intermittent issues. Microsoft has published KB articles for Windows 11 (KB5013943) and Windows 10, version 21H2, all editions (KB5013942). No resolutions for these reported issues yet.
- After installing this month’s update, some .NET Framework 3.5 apps might have issues or fail to open. Microsoft said you can mitigate this issue by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
As you may be aware, Microsoft published an out-of-band update (OOB) last month (on May 19). This update affected the following core Windows Server based networking features:
- Network Policy Server (NPS)
- Routing and Remote access Service (RRAS)
- Radius, Extensible Authentication Protocol (EAP)
- Protected Extensible Authentication Protocol (PEAP)
The security vulnerabilities addressed by this OOB update only affects servers operating as domain controllers and application servers that authenticate to domain controller servers. Desktop platforms are not affected. Due to this earlier patch, Microsoft has recommended that this June’s update be installed on all intermediate or application servers that pass authentication certificates from authenticated clients to the domain controller (DC) first. Then install this update on all DC role computers. Or pre-populate CertificateMappingMethods to 0x1F as documented in the registry key information section of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting only after the June 14 update has been installed on all intermediate or application servers and all DCs.
Did you get that? I must note with a certain sense of irony, that the most detailed, order-specific set of instructions that Microsoft has ever published (ever), are buried deep, mid-way through a very long technical article. I hope everyone is paying attention.
Though we have fewer “new” patches released this month, there are a lot of updated and newly released patches from previous months, including:
- CVE-2021-26414: Windows DCOM Server Security Feature Bypass. After this month’s updates are installed, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers will be enabled by default. Customers who need to do so can still disable it by using the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has published KB5004442 to help with the configuration changes required.
- CVE-2022-23267: NET and Visual Studio Denial of Service Vulnerability. This is a minor update to affected applications (now affecting the MAC platform). No further action required.
- CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This is a minor update to the list of affected applications (now affecting the MAC platform). No further action required.
- CVE-2022-24527: Microsoft Endpoint Configuration Manager Elevation of Privilege. This major update to this patch is a bit of a mess. This patch was mistakenly allocated to the Windows security update group. Microsoft has removed this Endpoint manager from the Windows group and has provided the following options to access and install this hot-fix:
- Upgrade to Configuration Manager current branch, version 2203 (Build 5.00.9078), which is available as an in-console update. See Checklist for installing update 2203 for Configuration Manager for more information.
- Apply the hotfix. Customers running Microsoft Endpoint Configuration Manager, versions 1910 through versions 2111 who are not able to install Configuration Manager Update 2203 (Build 5.00.9078) can download and install hot-fix KB12819689.
- CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This update now includes coverage for the following affected platforms: Windows 10 version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation). No further action required.
- CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This patch is personal — we were affected by this issue with massive server performance spikes. If you are having problems with MSDT, you need to read the MSRC blog post, which includes detailed instructions on updates and mitigations. To solve our issues, we had to disable the MSDT URL protocol, which has its own problems.
I think that we can safely work through the Visual Studio updates, and the Endpoint Configuration Manager changes will take some time to implement, but both changes do not have significant testing profiles. DCOM changes are different — they are tough to test and generally require a business owner to validate not just the installation/instantiation of the DCOM objects, but the business logic and the desired outcomes. Ensure that you have a full list of all applications that have DCOM dependencies and run through a business logic test, or you may have some unpleasant surprises — with very difficult-to-debug troubleshooting scenarios.
Mitigations and Workarounds
For this Patch Tuesday, Microsoft published one key mitigation for a serious Windows vulnerability:
- CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability. This is the first time I have seen this, but for this mitigation, Microsoft strongly recommends you install the May 2022 update first. Once done, you can reduce your attack surface area by disabling NFSV4.1 with the following PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this change will require a restart of the target server.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
We are seeing a welcome trend of fewer and fewer critical updates to the entire Microsoft browser portfolio. For this cycle, Microsoft has released five updates to the Chromium version of Edge. They are all low risk to deploy and resolve the following reported vulnerabilities:
- CVE-2022-2007: Use after free in WebGPU
- CVE-2022-2008: Out of bounds memory access in WebGL
- CVE-2022-2010: Out of bounds read in compositing
- CVE-2022-2011: Use after free in ANGLE
A key factor in this downward trend of browser related security issues, is the decline and now retirement of Internet Explorer (IE). IE is officially no longer supported as of this July. The future of Microsoft’s browsers is Edge, according to Microsoft. Microsoft has provided us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your standard application release schedule.
With 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the primary focus — especially given the low-risk, low-profile updates to Microsoft Browsers, Office, and development platforms (.NET). The Windows updates cover a broad base of functionality, including: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker components. As mentioned earlier, the most difficult-to-test and troubleshoot will be the kernel updates and the local security sub-system (LSASS). Microsoft recommends a ring-based deployment approach, which will work well for this month’s updates, primarily due to the number of core infrastructural changes that should be picked up in early testing. (Microsoft has published another video about the changes this month to the Windows 11 platform, found here.)
Microsoft has fixed the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the other three critical updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) leads to a “Patch Now” recommendation.
Microsoft released seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core foundation library), all of them rated important. The SharePoint server updates are relatively low risk, but will require a server reboot. We were initially worried about the RCE vulnerability in Excel, but on review it appears that the “remote” in Remote Code Execution refers to the attacker location. This Excel vulnerability is more of an Arbitrary Code Execution vulnerability; given that it requires user interaction and access to a local target system, it is a much-reduced risk. Add these low-profile Office updates to your standard patch deployment schedule.
Microsoft Exchange Server
We have a SQL server update this month, but no Microsoft Exchange Server updates for June. This is good news.
Microsoft Development Platforms
Microsoft has released a single, relatively low-risk (CVE-2022-30184) update to the .NET and Visual Studio platform. If you are using a Mac (I love the Mac version of Code), Microsoft recommends that you update to Mac Visual Studio 2022 (still in preview) as soon as possible. As of July (yes, next month) the Mac version of Visual Studio 2019 will no longer be supported. And yes, losing patch support in the same month as the next version is released is tight. Add this single .NET update to your standard development patch release schedule.
Adobe (really, just Reader)
There are no Adobe Reader or Acrobat updates for this cycle. Adobe has released a security bulletin for their other (non-Acrobat or PDF related) applications — all of which are rated at the lowest level 3 by Adobe. There will be plenty of work with printers in the coming weeks, so this is a welcome relief.