Microsoft on Tuesday released a tightly focused but still significant update that addresses 68 reported (some publicly) vulnerabilities. Unfortunately, this month brings a new record: six zero-day flaws affecting Windows. As a result, we have added both the Windows and Exchange Server updates to our “Patch Now” schedule. Microsoft also published a “defense in depth” advisory (ADV220003) to help secure Office deployments. And there are a small number of Visual Studio, Word, and Excel updates to add to your standard patch release schedule.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. There are two major reported issues with Windows 11 — both related to deploying and updating Windows 22H2 machines:
- Users updating to Windows 22H2 and the update or the Out of Box Experience may not complete successfully. Provisioning packages applied during initial setup are most likely to be affected. For more information, see Provisioning packages for Windows.
- Network transfers of large (multi-gigabyte) files might take longer than expected to finish on the latest version of Windows 11. You are more likely to experience this issue copying files to Windows 11 22H2 from a network share via Server Message Block (SMB), but local file copy might also be affected.
In addition to these issues, Microsoft SharePoint Server has experienced two issues with the November and September updates:
- Web Part Pages Web Service methods may be affected by the September 2022 security update. For more information, see KB5017733.
- Some SharePoint 2010 workflow scenarios may be blocked. For more information, see KB5017760.
Technically speaking, Microsoft published eight revisions this month, all for the Chromium Edge browser. In practice, these “revisions” were standard updates to the Microsoft Edge browser and have been included in our Browser section. No other revisions to previous patches or updates were released this month.
Mitigations and workarounds
A single work-around has been published for the November Patch Tuesday:
- CVE-2022-37976: Active Directory Certificate Services Elevation of Privilege Vulnerability. A system is vulnerable only if both the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on a server in the network. Setting LegacyAuthenticationLevel – Win32 apps | Microsoft Docs to 5= RPC_C_AUTHN_LEVEL_PKT_INTEGRITY might protect most processes on the machine against this attack. For more information see the following section on Setting System-Wide Security Using DCOMCNFG.
No other mitigations or workarounds for Microsoft platforms were released.
Each month, the Readiness team analyzes the patches applied to Windows, Microsoft Office, and related technology/development platforms. We look at each update, the individual changes and the potential impact on enterprise environments. These testing scenarios offer some structured guidance on how to best deploy Windows updates to your environment.
High Risk: This month, Microsoft did not report any high-risk functionality changes, meaning it has not updated nor made major changes to core APIs, functionality or any of the core components or applications included in the Windows desktop and server ecosystems.
More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:
- Hyper-V Update: a simple test of starting and stopping VMs and isolated containers will suffice for this minor update.
- Microsoft PPTP VPN: exercise your typical VPN scenarios (connect/disconnect/restart) and try to simulate a disruption. Contrary to previous recommendations, no extended trials are required.
- Microsoft Photo App: ensure that your RAW image extensions work as expected.
- Microsoft ReFS and ExFat: a typical CRUD test (Create/Rename/Update/Delete) will suffice this month.
There were several updates to how group policies are implemented on Windows platforms this month. We suggest spending some time ensuring that the following features are working:
- GPO policy creation/deployment and deletion.
- Editing GPO policies, with a validation check to see whether these updated policies have been applied to the entire OU.
- Ensure that all symbolic links are working as expected (redirects to user data).
And, with all testing regimes required when making changes to Microsoft GPOs, remember to use the “gpupdate /force” command to ensure that all changes have been committed to the target system.
Who uses the Windows Overlay Filter Feature?
System engineers, that’s who. If you have had to build client machines for large automated enterprise deployments you may have to work with the Windows Overlay Filter (WoF) driver for WIM boot files. WoF allows for significantly better compression ratios of installation files and was introduced in Windows 8. If you are in the middle of a large client-side deployment effort this month, ensure that your WIM files are still accessible after the November update. If you’re looking for more information on this key Windows deployment feature, check out this blog post on WoF data compression.
Unless otherwise specified, we should assume that each Patch Tuesday update will require testing of core printing functions including:
- printing from directly connected printers;
- large print jobs from servers (especially if they are also domain controllers);
- remote printing (using RDP and VPN).
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
Including last week’s mid-cycle update to Microsoft Edge (Chromium) there are 10 updates to the Chromium core and eight patches to Edge, for a total of 18 changes. For the 10 Chrome updates, you can refer to the Chrome Security page for more details. You can find links to all of the Microsoft updates here: CVE-2022-3652, CVE-2022-3653, CVE-2022-3654, CVE-2022-3655, CVE-2022-3656, CVE-2022-3657, CVE-2022-3660, CVE-2022-3661. All 18 updates are low-profile, low-impact updates to the browser stack and can be added to your standard desktop update schedule.
There’s good and bad news this month for Windows. The bad news is we have six Windows zero-days with both publicly reported vulnerabilities and reported exploits in the wild. The good news is that only one of the vulnerabilities (which is incredible) is rated critical by Microsoft. This month’s update covers the following Windows features:
- Windows Scripting (the Windows scripting host or object);
- Networking (particularly how HTTPS is handled);
- Windows Printing (the print spooler, again);
- ODBC (the least of our worries this month).
We are seeing some reports of problems this month with Kerberos. In response, Microsoft has provided two Knowledge Base articles on how to handle the November changes:
- How to manage Kerberos protocol changes related to CVE-2022-37967.
- How to manage the Netlogon protocol changes related to CVE-2022-38023.
Given the nature of these reported zero-days, and accounting for the relatively narrow change profile this month, we recommend immediate patching for all Windows systems. Add these Windows updates to your “Patch Now” schedule — and this time we really mean it.
Microsoft released eight updates to the Office platform, affecting Word, Excel and SharePoint server. There were no critical updates this month (no preview pane vulnerabilities), with each patch rated important by Microsoft. In addition, Microsoft released a “Defense in Depth” advisory (ADV220003) for Office. These Microsoft advisories cover the following enhanced protection features:
- Anti-phishing policies.
- Enhanced filtering for connectors in Exchange Online.
- Priority account protection.
- Trusted ARC.
These features are worth further examination; you can read more about these and other preventative security measures here. Add these low-impact Microsoft Office updates to your standard release schedule.
Microsoft Exchange Server
Unfortunately, we have Microsoft Exchange Server updates back on the roster this month. Microsoft released four updates; one (CVE-2022-41080) was rated as critical and the other three as important. The critical elevation of privilege vulnerability in Exchange has a rating of CVSS 8.8 and though we don’t see reported exploits, this is a serious low-complexity network accessible issue. Exchange administrators need to patch their servers this weekend. Add this to your “Patch Now” release schedule.
Microsoft development platforms
Microsoft released four updates, all rated important, to its Visual Studio platform. Both the Visual Studio and Sysmon tools are low profile, non-urgent updates to discrete Microsoft developer tools. Add these to your regular developer patch schedule.
Adobe (really, just Reader)
No updates from Adobe for November. Given the number of patches released last month, this is no surprise. We may see another big update from Adobe in December, given its normal update/release cadence.