Another very broad series of updates across the Windows ecosystems for this April patch cycle. Unfortunately, four vulnerabilities affecting Windows have been publicly disclosed and one security vulnerability has been reported as exploited that affects the Windows kernel. This puts this month’s focus on the Windows updates with our highest “Patch Now” rating. If you have to manage Exchange servers, caution is required this month as the update requires additional privileges and extra steps to complete successfully.
It also looks like Microsoft has announced a new way to deploy updates to any device, wherever it is located, with theWindows Update for Business Service. For more information on this cloud-based management service, you may want to check out this Microsoft video. Just like last month, we have included a helpful infographic which this month looks a little lopsided (again) as all of the attention should be on the Windows and Exchange components.
Key testing scenarios
Due to the major update to the Disk Management utility this month (that we consider high-risk), we recommend testing partition formatting and partition extensions. This month’s update also includes changes to the following lower-risk Windows components:
- Check that TIFF, RAW and EMF files render correctly due to changes in the Windows codecs
- Test your VPN connections
- Test creating Virtual Machines (VM’s) and applying snap-shots
- Test creating and using VHD files
- Ensure that all applications that rely on the Microsoft Speech API function as expected
The Windows Servicing stack (including Windows Update and MSI Installer) was updated this month with CVE-2021-28437, and so larger deployments may want to include a test of install, update, self-heal and repair functionality within their application portfolio.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft including:
- When using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually. In addition, after installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” Microsoft is working on a resolution and will provide an update in an upcoming release.
- Devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. If you need to broadly deploy the new Microsoft Edge for business, see Download and deploy Microsoft Edge for business.
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
You can also find Microsoft’s summary of Known Issues for this release in a single page here.
For this April update release cycle, Microsoft has published a single major revision:
- CVE-2020-17049 – Kerberos KDC Security Feature Bypass Vulnerability: Microsoft is releasing security updates for the second deployment phase for this vulnerability. Microsoft has published an article (KB4598347) on how to manage these additional changes to your domain controllers.
Mitigations and workarounds
At the time of writing it does not appear that Microsoft has published any mitigations or workarounds for this April release.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player (retiring)
For the past while (actually – it’s been 10 years), we have reviewed potential impacts from changes to Microsoft browsers (Internet Explorer and Edge) due to the nature of interdependent libraries on Windows systems (both desktop and servers). Internet Explorer (IE) used to have direct (some would say too direct) integration with the OS. This meant any change meant a change that had to be managed in the OS (most problematically for servers). As of this month, this is no longer the case as the Chromium updates are now a separate code-base and application entity and Microsoft Edge (Legacy) will now automatically be removed and replaced with the Chromium code-base. You can read more about this update (and removal) process here. I think that this is welcome news as the constant recompiles of IE and the subsequent testing profile were a heavy burden for most IT administrators. It’s also nice to see that the Chromium update cycle is moving away from a 6-week cycle to a 4-week cycle in tune with the Microsoft update cadence. Given the nature of these changes to the Chromium browser this month, add this update to your standard patch release schedule.
This month Microsoft has worked to address 14 critical vulnerabilities in Windows and 68 remaining security issues rated as important by Microsoft. Two of the critical issues relate to Media Player while the remaining 12 relate to problems in the Windows Remote Procedure Call (RPC) function. We have broken down the remaining updates (including important and moderate ratings) into the following functional areas:
- Windows Secure Kernel Mode (Win32K)
- Windows Event Tracing
- Windows Installer
- Microsoft Graphics Component
- Windows TCP/IP, DNS, SMB Server
For testing these functional groups, please refer to the testing recommendations detailed earlier. For the critical rated patches: testing Windows Media Player is easy; testing RPC calls both within and between applications is quite another matter. To make matters worse, these RPC issues, though not worm-able, are pretty serious individually and dangerous as a group. As a result of these concerns, we recommend a “Patch Now” release schedule for this month’s updates.
As we assess the Office Updates for each monthly security release, the first questions I usually ask of Microsoft’s Office updates are:
- Are the vulnerabilities low complexity, remote access issues?
- Does the vulnerability lead to a remote code execution scenario?
- Is the Preview Pane a vector this time?
Fortunately this month, all of the four issues addressed by Microsoft this month are rated as important and have not landed in any of the above three “worry bins”. In addition to these security basics, I have the following questions for this April Office update:
- Are you running ActiveX Controls?
- Are you running Office 2007?
- Are you experiencing language related side effects after this month’s update?
If you are running ActiveX controls – please don’t. If you are running Office 2007, now is a really good time to move to something supported (like Office 365). And, if you are experiencing language issues, please refer to this support note (KB5003251) from Microsoft on how to reset your language settings post-update. The Office, Word and Excel updates are major updates to the code-base and will require a standard testing/release cycle. Given the lower urgency of these security vulnerabilities, we suggest that you add these Office updates to your standard release schedule.
Unfortunately, Microsoft Exchange has four critical rated updates that need attention. It’s not super urgent like last month, but we have given them a “Patch Now” rating. Some attention will be required when updating your servers this time. There have been a number of reported issues with these updates when applied to servers with UAC controls in place. When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. Make sure to run this update as an administrator or your server may be left in a state between updates, or worse in a disabled state. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web (OWA) and the Exchange Control Panel (ECP) might stop working. This month, a reboot will definitely be required for your Exchange Servers.
Microsoft Development Platforms
Microsoft has released 12 updates, all rated as important for this April update cycle. All of the addressed vulnerabilities this month have a high CVSS rating of 7 or above and cover the following Microsoft product areas:
- Visual Studio Code – Kubernetes Tools
- Visual Studio Code – GitHub Pull Requests and Issues Extension
- Visual Studio Code – Maven for Java Extension
Looking at these updates and how they have been implemented this month, I would find it hard to see how there could be an impact beyond the very minor changes to each application. Microsoft has not published critical testing or mitigation for any of these updates this month and so we recommend a standard “Developer” release schedule for these Microsoft updates.
Adobe Flash Player
I can’t believe it. No further word on Adobe updates. No crazy Flash vulnerabilities to hijack your schedule this month. So, in the words of my favourite news reader, No Gnus is good Gnus.
We will retire this section next month. We will break out the Office and Exchange updates into separate sections for easier readability.