If it weren’t for the serious security issues surrounding on-premises Microsoft Exchange servers (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857 and CVE-2021-26858), I would say things look pretty good for this month’s Patch Tuesday. There are still things to test on the desktop, including printing, remote desktop connections via VPNs, and graphically intensive operations. And while the other lower-rated Microsoft Office and Development platform updates require attention, they don’t require a rapid response and can be added to the regular testing regime and deployment cadence.
I’ve included a helpful infographic that this month looks a little lopsided (again) as all of the attention should be on the Windows and Office components.
Key testing scenarios
There are two updates to the Microsoft Windows platforms this month that look high-risk, including:
- A change to local printer driver handling (affected files include: localspl.dll and PrintFilterPipelineSvc.exe).
- A core update to the Windows system kernel (win32kbase.sys).
Both of these significant changes affect all supported Microsoft Windows desktop and server platforms. Working with Microsoft, we’ve developed a system that combs through Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process.
This month, our analysis of this Patch Tuesday release generated the following testing scenarios:
- Test your local (usually its remote) printers. Test your existing installed printer updates on an updated machine, but most importantly try to install a new printer driver (sorry, Kyocera). The thinking here is that 32-bit systems are not correctly passing information to 64-bit drivers and causing a BSOD. Testing can be done with simple apps like Notepad. Which is, of course, quite concerning when you think about it.
- Test your encrypted file system and RDS connections. There was a change to the FIPS cryptographic components that may require attention. You can read more about the FIPS compliant encryption technology here.
Lower on the priority list, we suggest testing VPN connections, JPEG image file rendering, and streaming audio (to make sure it still functions as expected).
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the latest builds from Microsoft including:
- Windows 10 2004: System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be affected if they have already installed any Latest Cumulative Update (LCU) released on Sept. 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source that does not have an LCU released Oct. 13, 2020 or later integrated.
- Windows Server 2016: After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters. Microsoft has published a workaround: “Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.”
You can also find Microsoft’s summary of Known Issues for this release in a single page.
There were a number of mid-month updates and revisions to documentation and published information for several CVE releases, including: CVE-2021-24094 and CVE-2021-24086 (both addressing a common Windows TCP/IP Remote Code Execution Vulnerability). These revisions only included minor documentation updates to the CVE entries — no further action is required.
Mitigations and workarounds
Very much like the mid-month revisions posted during February from Microsoft, there is a short list of updates with mitigation or published work-arounds:
- CVE-2021-24094, CVE-2021-24074, and CVE-2021-24086: Both of these updates have published workarounds relating to running the following command “Netsh int ipv6 set global reassemblylimit=0” on a target system. These updated changes are for documentation reasons only, and should not affect the technical components involved.
If you dealt with these suggested actions in February, no further action is required for this month’s release.
This month is the first where Microsoft has started differentiating the open-source Chromium updates from standard browser patches in update release documentation. With only a single (important) update to Microsoft Internet Explorer (CVE-2021-27085) the vast majority of updates this month (33) are attached to the Chromium project. Given how Microsoft’s Edge is not as integrated in the desktop (and to a much lesser degre,e server platforms) we don’t see as many upgrade or peer-level compatibility issues when updating its binaries.
Microsoft Edge is pretty much designed to be upgraded or updated without causing integration issues. Given the other low impact updates to Internet Explorer, we suggest that you add these updates to your standard update schedule.
Unusually, we find that the Windows updates for this month are not the center of attention. This is still a big update to the Windows ecosystem, with a publicly reported exploit (CVE-2021-27077) in the GDI graphics subsystem, six updates rated as critical and a remaining 45 patches rated as important. We also see a lot of “areas” covered, including core kernel and GDI components that have historically caused compatibility issues.
Here’s a short list of the critical updates and the features affected:
- CVE-2021-26867 Hyper-V
- CVE-2021-26876 Microsoft Graphics Component
- CVE-2021-26897 DNS Server
- CVE-2021-26902, CVE-2021-27061, CVE-2021-24089 Microsoft Windows Codecs Library
I recommend that you look at the following CVEs (all rated as important by Microsoft) for potential app compatibility and/or integration issues:
- CVE-2021-1729, CVE-2021-26866, CVE-2021-26889 – Windows Update Stack
- CVE-2021-27077, CVE-2021-26861, CVE-2021-26863, CVE-2021-26868, CVE-2021-26875 – Microsoft GDI
Some (potential) troublemakers include CVE-2021-1640 and CVE-2021-26878, both of which update the printing subsystem. Add this month’s Windows Patch Tuesday updates to your “Test before Deploy” update release schedule.
Microsoft has released 11 updates, all rated important, to the Microsoft Office and SharePoint platforms, covering the following application or feature groupings: SharePoint, Excel, Visio, and PowerPoint.
All 11 of these reported Microsoft Office vulnerabilities require local access and user interaction (no worms this month). Usually, the Excel security issues are a concern, but not this month. And if it weren’t for the Exchange issues this month, I would say these updates could be added to your standard Office update schedule without much concern. However, we have (now) four very serious Microsoft Exchange issues that require immediate attention for all locally installed Exchange Servers (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857, and CVE-2021-26858).
Microsoft has been updating these four super-urgent-critical issues throughout the week, each change adding to the potential scope of concern. I think the advice from CISA to “patch or unplug your servers from the internet” probably says enough about these serious reported vulnerabilities in locally installed, on-premise Microsoft Exchange Servers. Office 365, anyone?
Patch your Exchange Servers before your morning cup of tea, and then add the remaining Office updates to your regular update schedule.
Microsoft Development Platforms
Microsoft has released six updates to the Microsoft development platforms, one rated critical and the remaining five rated important. This single critical update relates to the local GIT components for Visual Studio and all the remaining important updates pertain to Visual Studio as well. We walked through each of these updates; the integration impact is marginal and without a compelling event to drive a rapid response, we suggest you add these to your regular update schedule.
Adobe Flash Player
Will this be the last we hear from Flash? I have said so before, and have been (sadly) corrected. Nothing to report from Microsoft for March. Let’s see if we can retire this section in April.