Microsoft’s August Patch Tuesday release addresses 123 security issues in Microsoft Windows, Office, Exchange (it’s back!) and Visual Studio — and unfortunately, we have two zero-days with reports of active exploitation in the wild. Since this is a broad update, it will require planning and testing before deployment.
The first (CVE-2022-34713) occurs in the Windows diagnostic tools and the second (CVE-2022-30134) affects Microsoft Exchange. Basically, the holidays are over and it’s time to pay attention to Microsoft updates again. We have made “Patch Now” recommendations for Windows, Exchange and Adobe for this month.
Key testing scenarios
Given the large number of changes included in this August patch cycle, I have broken down the testing scenarios into high risk and standard risk groups:
High Risk: These are likely to include functionality changes, may deprecate existing functionality and will likely require creating new testing plans:
- Service Stack Update: There is a significant change to the Microsoft Servicing Stack (SSU). I have written a brief explainer that details some of the ways that Microsoft “updates the update process” and how its servicing stack has moved to a singular, combined update each Patch Tuesday. The changes included for August will require reboot testing to collect/collate and then parse event viewer logs. Microsoft provided a handy reference to Windows Boot Manager event viewer files found in KB5016061.
- Web Printing: Though there do not appear to be any functional changes, Microsoft has updated how web documents (HTML and JPEG) are printed. Basic print testing is required here. It doesn’t look like this update will take down any servers, printer server or otherwise.
The following updates are not documented as functional changes, but still require a full test cycle:
- Microsoft FAX: Like printing, we now have to test enterprise FAX services with each Patch Tuesday update. This month’s update is actually pretty cool; it addresses a vulnerability in junctions, which I have not used since the early 2000’s. Here’s a hint: avoid FAX drivers, and don’t use junctions. They were a cool way to address directory redirect requirements through the registry — and are definitely not needed in a modern desktop.
- DirectComposition: This Windows component allows for rapid bitmapping and animations. There was an API update this month that will require testing for internally developed applications. I can’t share the exact API changes, but I suggest you scan your applications (and subsequently test) for any references for IDCompositionDevice3.
- Microsoft Office Updates: We recommend a general “smoke” test for all updated Microsoft Office products this month. Specifically for Outlook, we recommend testing with a Gmail account and then switching to a Microsoft account; test sending invites between accounts. This applies to all supported versions of Microsoft Office.
Given the changes to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it may be worth having a look at some Microsoft testing platforms such as the Microsoft Test Authoring and Execution Framework (TAEF). You will have to know C++ or C# and you will need the Windows Driver kit (WDK). Noting that for each of these testing scenarios, a manual shut-down, reboot and restart is suggested, with a focus on Boot Manager entries in the event viewer logs.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. This month, there are some really complex changes:
- The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading on systems with the Unified Extensible Firmware Interface (UEFI). The KB5012170 update adds modules to the DBX in an attempt to address a vulnerability that exists in the secure boot loader process. Unfortunately, if BitLocker is enabled with the PCR7 binding, this update may fail. To resolve this issue, use the following command: “Manage-bde –Protectors –Disable C: -RebootCount 1.” Then deploy the update and reboot.
- After installing KB4493509, devices with some Asian language packs installed may receive the error “0x800f0982 -PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. PSFX is a differential compression mode used in reducing the size of Microsoft updates. Microsoft has probably published the most interesting update and deployment and packaging article ever to be included in the middle of a long technical article related to packaging and updates. Given that this issue relates to how Windows installs feature-level components, Microsoft recommends reinstalling any language packs. This usually solves the problem — though it is not an official fix.
- After installing this month’s update on Windows 10 builds, IE mode tabs in Microsoft Edge might stop responding when a site displays a modal dialog box. Microsoft is still working on an official fix.
And for the latest release of Windows 11, it looks as if this month’s update may lead to the utility XPS Viewer behaving badly (using increasing processor and memory resources) before closing unexpectedly (i.e. badly). A reboot will solve the issue until Microsoft posts a fix.
Though we have fewer “new” patches released this month, there are a lot of updated and newly released patches from previous months:
- CVE-2022-26832: NET Framework Denial of Service Vulnerability. This is the fourth update to this .NET security fix. First released in April, all subsequent revisions have related to updating the products that are affected by this patch. It appears that all versions of Windows 10, Windows Server 2016 and with this latest revision, Windows 8 and Server 2012, are affected. If you’re using Windows update (or even Autopatch), no further action is required.
- CVE-2022-30130: .NET Framework Denial of Service Vulnerability. This revision to May’s update now includes coverage for Windows 8 and Server 2012. This is only an informational update — no further action required.
- ADV200011: Microsoft Guidance for Addressing Security Feature Bypass in GRUB. This revision relates to the Linux sub-system boot loader in Windows. For more information refer to KB5012170 and the very informative blog post, “There is a hole in the boot.”
Mitigations and workarounds
- CVE-2022-34715: Windows Network File System Remote Code Execution Vulnerability. Microsoft has offered a set of PowerShell mitigation commands to reduce the severity of an attack by disabling NFSV4.1 :”PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false.” Running this command will require a reboot of the target system. Microsoft recommends patching these systems as soon as possible, even with NFSV4.1 disabled.
- CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability. Microsoft advises that this vulnerability is applicable if you are, in fact, actually running Active Directory Certificate Services. If you are, you must deploy the Microsoft May 10 update immediately and enable Audit events. Take your time planning and deploying this patch as it may put your server into a special compatibility mode. You can read more here KB5014754. You have until May 9, 2023 before Microsoft closes this loophole.
Probably the most important workaround this month relates to Microsoft Outlook crashing and locking up immediately after start-up. Microsoft explains, “When you start Outlook Desktop, it gets past loading profile and processing, briefly opens, and then stops responding,” Microsoft is currently working on the issue and we expect an update soon. Microsoft offered the following workarounds:
- Sign in and out Office.
- Disable support diagnostics in Outlook with the following registry keys: software\policies\microsoft\office\16.0\outlook\options\general\disablesupportdiagnostics, Disabled value =0
- Manually set the email address to the identity of the user that is seeing the issue in the registry path.
You can find out more about Microsoft Diagnostic settings here. This is a little embarrassing for Microsoft as this is another significant Office issue following the recent Uber receipt crashing issue.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- And Adobe (retired???, maybe next year).
Microsoft released three updates to its Edge browser (CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796). Following a trend, none of these are rated as critical. There were also 17 updates to the Chromium project. Google has published all these changes in its update log. For further information, refer to the Chromium security update page. Along with these security fixes, there were a few new features in the latest stable release (103) which can be found here. Add these low-profile updates to your standard patch release schedule.
Microsoft addressed 13 critical issues and 43 issues rated important this month. This is fairly broad update that covers the following key Windows features:
- Windows Point-to-Point Tunneling Protocol including RAS;
- Kernel Updates (Win32K.SYS);
- Windows Secure Socket Tunneling Protocol (SSTP);
- Windows Print Spooler Components.
In addition to this large update, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability) has been reported as both publicly disclosed and exploited in the wild, making this a serious Windows zero-day. This serious Windows security flaw is a path traversal flaw that attackers can exploit to copy an executable to the Windows Startup folder when a user opens a specially-crafted file through an email client or downloaded from the web. In lighter news, you can find the latest Windows 11 update video here. Add these critical Windows updates to your “Patch Now” release schedule.
Microsoft released an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (both 32- and 64-bit) relating to VBA projects and Microsoft Access. This month’s release cycle delivers only four updates, all rated important. Microsoft Excel, Outlook and a few core Microsoft Office libraries are affected, with the most serious leading to remote code execution scenarios. Fortunately, all of these security issues have official fixes from Microsoft and are all relatively difficult to exploit, particularly in a well-managed enterprise environment. Add these low-profile updates to your standard release schedule.
Microsoft Exchange Server
Unfortunately we have six updates for Microsoft Exchange Server, with three rated critical and the remaining three rated important. As promised in May, Microsoft has updated its patching process to include self-extracting EXE’s. You will not find these latest updates in the Microsoft catalog, so I have included a list of updates available for the following specific builds of Exchange Server:
Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which allows an attacker to read targeted email messages, Microsoft has recommended you apply these security related fixes immediately (italics added by Microsoft). To get the latest updates, you may also have to run the Exchange SetupAssist PowerShell script.
Your organization may already be comfortable with the new update format, but if you are in doubt about the status of your Exchange servers, you can run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me a while just to walk through the patching decision/logic trees this month, never mind troubleshooting failed Exchange updates. Add this month’s updates to your “Patch Now” schedule, noting that all updates this month will require a server reboot.
Microsoft development platforms
Microsoft released five updates rated as important for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is really tough to exploit and depends upon successfully executing a technically challenging blind “external entity” injection (XXE) attack. The remaining Visual Studio vulnerabilities relate to remote code execution (RCE) scenarios exploited through a local email client (requiring the user to open a specially crafted file). Add these updates to your standard developer update schedule.
Adobe (really just Reader)
Who would have thought it? We are back this August with three updates rated critical and four as important for Adobe Reader. APSB22-39 has been published by Adobe but not included by Microsoft in this month’s patch cycle. All seven reported vulnerabilities relate to memory leak issues and could lead to a remote code execution scenario (RCE), requiring immediate attention. Add these Adobe updates to your “Patch Now” schedule.