Though we get a reprieve from Exchange updates in this month’s Patch Tuesday update, more printer updates are on the way. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is back with 15 critical updates for Adobe Reader. And Microsoft’s new patch deployment tool Auto-Patch is now live. (I always thought application testing was the main problem here, but actually getting patches deployed is still tough.)
Though the numbers are still quite high (with 86+ reported vulnerabilities), the testing and deployment profile for July should be fairly moderate. We suggest taking the time to harden your Exchange Server defenses and mitigation processes, and invest in your testing processes.
You can find more information on the risk of deploying these Patch Tuesday updates in our helpful infographic.
Key Testing Scenarios
Given the large number of changes in this July patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups:
High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require creating new testing plans.
Core printing functionality has been updated:
- Install and test any new V4 print drivers on a local machine and print.
- Test new V4 printer connections using client and server and print.
- Test existing v4 printer connections
- Ensure GDI rendering and printer drivers generate the expected output
The core changes relate to how Microsoft supports timestamp checking for kernel drivers, so testing applications that require digitally signed binaries is key for this cycle. The big change here is that unsigned drivers should not load. This may cause some application issues or compatibility problems. We recommend a scan of the application portfolio, identifying all applications that depend upon drivers (both signed and unsigned), and generating a test plan that includes installation, application exercising, and uninstall. Having a comparison between pre- and post- patched machines would be helpful, too.
The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:
- Test scenarios that utilize Windows DevicePicker. Almost impossible to test — as most applications use this common class. If your internally-developed applications pass their basic smoke test, you’re fine.
- Test your line of business applications that reference the Microsoft mobile CDP APIs. If you have internally developed desktop applications that communicate with mobile devices, a communications check may be required.
- Test connections to the rasl2tp server. This means finding and testing applications that have a dependency on the RAS miniport driver over remote or VPN connections
And Curl. Specifically, CURL.EXE: — a command line tool for sending files via HTTP protocols (hence “client URL”) — has been updated this month. Curl for Windows (the one that is being updated this month) is different from the Open Source project curl. If you are confused why the Curl project team offers this, here’s the answer:
“The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them. You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.”
With that said, we recommend teams that use the curl command (sourced from the Windows supported branch) give their scripts a quick test run. Microsoft has published a testing scenario matrix that this month includes:
- Use physical machines and virtual machines.
- Use BIOS-based machines and UEFI-enabled machines.
- Use x86, ARM, ARM64, and AMD64 machines.
Note: for each of these testing scenarios, a manual shut-down, reboot and restart is suggested.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. For July, there are some complex changes to consider:
- Devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.
- After installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For more information and a workaround, see KB5005322.
- After installing this update, IE mode tabs in Microsoft Edge might stop responding when a site displays a modal dialog box. This issue is resolved using Known Issue Rollback (KIR) with the following group policy downloads: Download for Windows 10, version 20H2 and Windows 10, version 21H1 .
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
This month, Microsoft has not formally published any major revisions or updates to previous patches. There was a kind of “sneaky” update from the .NET group that really should have been included in the formal Microsoft documentation update process. However, that update was merely documented support for later versions of Visual Studio.
Mitigations and Workarounds
Microsoft published one key mitigation for a Windows network vulnerability:
- CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability. Noting that there are no publicly reported exploits for this network vulnerability, Microsoft still recognizes that some administrators may choose to disable NFSV3 before their server systems are fully patched. To disable this network feature, use the PowerShell command. ” Set-NfsServerConfiguration -EnableNFSV3 $false.” There is no need to disable V4 (as opposed to V3) as the later versions of this protocol are not affected by this security vulnerability.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
It just keeps getting better. The downward trend for Microsoft’s browser reported vulnerability continues to track ever lower with just two (CVE-2022-2294 and CVE-2022-2295) Chromium updates for this July. Both updates only affect Edge (Chromium) and were released last week. Chrome should automatically update, with our initial analysis showing that both updates will have marginal impact on browser compatibility. You can read about this update on the Google Blog, with the technical details found on Git. Add these low-profile, low-risk updates to your standard browser release schedule.
With just four critical updates and 16 rated important this month, Microsoft is really giving IT admins a bit of a break. The four critical Windows update for this release cycle include:
- CVE-2022-30221: This Windows vulnerability in the core graphics sub-system (GDI) could lead to a remote code execution (RCE) scenario.
- CVE-2022-22029 and CVE-2022-22039: These Windows Network file system issues could result in RCE scenarios on the compromised system.
- CVE-2022-22038: This low-level (Win32) RPC component, reported as difficult to exploit, could lead to very difficult troubleshooting scenarios.
All of these critical updates have been officially confirmed as fixed, with no reports of public exploits on Windows desktop systems. The remaining 14 updates are rated important by Microsoft and affect the following Windows systems and components:
- Print driver, Print Spooler and FAX components;
- Windows Kernel and Boot Manager;
- Windows Network File system, storage and the Fast FAT driver.
Unfortunately, Windows Server 2012 did not fare so well, with reports of CVE-2022-22047 exploited in the wild. This Windows server vulnerability affects the Client Server Run-Time subsystem (CRSS) which is where all the badly behaving user mode drivers hang out. If you have any Windows Server 2012 under your care, this is a “Patch Now” update. Otherwise, add this very low-profile Windows update to your standard release schedule. And don’t forget, Microsoft has delivered another Windows 11 update video; it’s found here .
Microsoft released only two (CVE-2022-33632 and CVE-2022-33633) updates to Microsoft Office this month. Both updates are rated important by Microsoft, and both require local, authenticated privileges to the target system. Add these updates to your standard Office update schedule.
Microsoft Exchange Server
It’s good that we get a break from Microsoft Exchange Server updates. Rather than simply resting, it may be worth investing in your Exchange security infrastructure. Microsoft has provided some major improvements on Exchange during the past year; here are a few ideas on securing your Exchange Server:
- Microsoft Safety Scanner: This command line tool is downloaded from Microsoft (must be refreshed every 10 days) and removes malware from your target system. It’s not a replacement for third-party tools, but if there is a concern about a machine, this is a good first step.
- Exchange On-premises Mitigation Tool (EOMT): If you are unable to quickly patch specific Exchange Servers, Microsoft offers a command line to mitigate against known attacks. This PowerShell script will both attempt to remediate as well as mitigate your servers against further attacks — noting that once done, applying patches is the top priority.
- Exchange Emergency Mitigation Service (EM): The Exchange Emergency Mitigation service (EM service) keeps your Exchange Servers secure by applying mitigations/updates/fixes to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and will send diagnostic data back to Microsoft.
All of these features and offerings are predicated on using at least Office 2019 — another reason Microsoft has strongly recommended everyone move to Exchange Server 2019 at least. The EM Service was last used in March 2021 to deal with several Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858). These were specific attacks on on-premise servers. It’s helpful to know this service is there, but I’m glad it has not been required recently.
Microsoft Development Platforms
As with Microsoft Exchange, Microsoft has not published any “new” security updates to the Microsoft .NET platform or tools this month. However, there was a problem with June’s .NET update, which was addressed this month. This month’s .NET release resolves the issue that some versions of .NET were not addressed by the previous patch — this is just an informational update. If you are using Microsoft Windows update infrastructure, no further action is required.
Adobe (really just Reader)
This is a big update from Adobe, with 15 updates rated as critical and seven rated important, all just for Adobe Reader. The critical updates mainly relate to memory issues and could lead to the exercise of arbitrary code on the unpatched system. You can read more about the Adobe bulletin (APSB22-32) and Adobe security bulletins here. Add this application specific update to your “Patch Now” release.