There are (as of now) 51 patches to the Windows ecosystem for February, but no critical updates and no “Patch Now” recommendations from the Readiness team. I’m hoping that with this month’s list of Patch Tuesday updates, we can enjoy the quiet after the storm. January was tough for a lot of folks. And, with this month’s very light release from Microsoft, corporate security and systems administrators can take the time needed to test their applications and desktop/server builds. It’s also important to invest in their testing methodologies, release practices, and how their applications may be affected by OS-level updates and patches.
You can find more information on the risk of deploying these Patch Tuesday updates using our detailed infographic.
Key testing scenarios
There are no reported high-risk changes to Windows this month. However, there is one reported functional change, and an additional feature added:
- Printing: Perform all basic print operations with multiple types of printers. Perform print operations with various third-party apps. Most importantly, test your print spooler services on any shared service servers (e.g., Domain Controllers).
- VPN: Validate VPN connectivity using existing/new VPN connections (Create/Connect/Remove).
- Kernel Updates: Any applications that rely on DirectComposition should work as intended.
- CFS Logs Test out Create/Read/Update/Extend/Trim.
When testing your printing services, ensure that you are validating your spooler and SHD (shadow files). Testing these service artifacts is especially important if you employ symbolic or hard links to access these jobs.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. There is more than usual, so I have referenced a few key issues that relate to the latest builds from Microsoft including:
- Devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU.
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” To resolve this issue, Microsoft recommends that you “uninstall and reinstall any recently added language packs.” For instructions, see Manage the input and display language settings in Windows 10.
- After installing this update, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication. You might receive the prompt “Your credentials did not work. The credentials that were used to connect to [device name] did not work. Microsoft has published a Known Issue Roll-back for this problem. For further instructions, see How to use Group Policy to deploy a Known Issue Rollback.
After installing updates released Jan. 11 or later, applications that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might have issues. The apps might fail or close, or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error. To resolve this issue manually, apply the out-of-band updates for the version of the .NET Framework used by the app. We recommend that you scan your internal line of business applications for any dependencies on System.DirectoryServices API.
Though there is a much smaller list of patches this month, Microsoft released several revisions to previous patches, including:
- CVE-2019-0887: This is an old patch that has been reported as publicly exploited. As a result, Microsoft has added the Remote Desktop client to the affected platforms list. To ensure compliance, make sure you have version 1.2.2691 of the remote desktop client installed.
- CVE-2021-34500: This is an unusual revision, as Microsoft has expanded the list of affected systems to include earlier versions of Windows 10, Windows 7, and Server 2012. It usually works the other way. If you are using old(er) versions of Windows, you may need to reference the Microsoft Knowledge base article KB4497181 to ensure that you have the appropriate ESU MAK add-on key. This key will be required to obtain this latest patch for these legacy systems.
- CVE-2022-21871: This patch revision only affects users of Visual Studio 2019 16.7 and 16.9. It’s purely informational; no action is required.
- CVE-2022-23254: This is an information change to this patch’s title. No further action necessary.
Mitigations and workarounds
This month Microsoft has published two mitigating factors, including:
- CVE-2022-21984: Microsoft has published a very brief mitigating factor for this DNS related security issue, noting that, “to be vulnerable your DNS server would have to have dynamic updates enabled”. I hope that this helps.
- CVE-2022-21907: Microsoft has advised that this HTTP stack level zero-day issue does not apply to Server 2019 unless you have enabled the following registry setting: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters. This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to Windows 10, version 20H2 and newer. So, if you are on later desktop and server platforms, you need to apply this patch as soon as possible.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, maybe next year).
There are a total of 22 (+1) updates to the Microsoft Edge (Chromium) browser this month. None are critical, with one patch rated moderate and the remaining rated important. Unusually, there was an additional update for Microsoft Edge posted yesterday (CVE-2022-23246) that was included as part of an updated release note for Microsoft Edge security update found here. Add these Chrome (Edge and Chromium) updates to your regular update release schedule.
We were hoping for a quieter update this month and Microsoft really delivered — with no critical updates for Windows or Microsoft Office. Given that January’s release was large and complex, several problems were encountered, including:
To remedy these and other reported (minor) issues, a rare Out-of-Band (OOB) update was released on Jan 17. Microsoft has posted 26 patches this month, covering Hyper-V, printing, error/logging sub-systems, networking, and video codecs. Given the testing requirements for these types of changes to the core operating system, we suggest a staged approach and adding these Windows updates to your standard update release schedule.
This month’s patches for Microsoft Office will install on the following baselines:
- Office 2010, 2103, 2016 (client and server);
- SharePoint 2013 and 2106 (server).
Though Microsoft has published 11 updates (all rated important) for this release, only eight apply to Windows systems. Microsoft has shared some basic testing guidelines for the updates, including:
- Verify Excel file/open scenarios for untrusted XLS files;
- Focus on testing legacy content: ActiveX Controls, Pictures, Shapes, SmartArt, Charts, WordArt;
- SharePoint (on-premises): test creating a new Media web-part.
Microsoft also published a major known issue with this month’s Office update, saying: “The Machine Translation service fails if the content contains certain HTML tags.” To work around this issue, see Publishing pages cannot be translated in SharePoint Server 2019 (KB5011291). All the local office installations (excluding click-to-run virtualized instances) require user interactions and do not significantly degrade the system if affected. These patches represent a low risk and have been documented to affect core functionality (potentially affecting dependent line-of-business applications). Add these updates to your standard Office update schedule.
Microsoft Exchange Server
Following the trend of a very light patch cycle, Microsoft has not released any updates for the Exchange Server platform.
Microsoft development platforms
Things are definitely light on the ground this month, but we do have a few very minor updates for Microsoft development tools, including two patches to Visual Studio (CVE-2022-21986 and CVE-2022-21991) Both of these minor updates are rated important by Microsoft and should be (almost casually) added to your standard development patch schedule.
Adobe (really just Reader)
Adobe released several security updates this month, but luckily nothing for Adobe Reader. You can find Adobe’s February release notes here; it relates to Adobe Premier, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Let’s see what Adobe has in store for us in March.
Copyright © 2022 IDG Communications, Inc.