Four zero-day exploits add urgency to Tuesday’s October patch

October brings four zero-day exploits and 74 updates to the Windows ecosystem, including hard-to-test kernel updates ()CVE-2021-40449) You need to be careful immediately, and updating the Exchange Server requires technical skills and due diligence (and restart). The test profile for the October patch on Tuesday is for Windows Error Handling, AppX, Hyper-V, and Microsoft Word. We recommend that you set up a PatchNow schedule for Windows and then stage the rest of the patch groups according to the normal release pattern.

For more information on the risks of deploying these patches Tuesday updates,With this infographic..

Key test scenarios

No high-risk changes to the Windows platform have been reported. However, there is one feature change that has been reported and additional features have been added.

  • As always, make sure that the physical and virtual printers print as expected. Make sure there are no problems with the printer driver. It’s a good idea to evaluate which printer driver software still uses 32-bit code for application management.
  • Test non-English websites for broken or uneven characters in Thai, Lao, Korean, and Arabic.
  • The Active Directory feature Bannd IP has been updated. We recommend that you validate AD authentication for both active and passive network traffic.you can Click here for details..
  • Microsoft has updated the media codec, so testing large image and video files should be part of your testing plan.
  • The STORPORT.SYS component was updated this month, so check out the applications that depend on this Windows feature.

It’s no exaggeration to say that the Microsoft AppX format wasn’t as widely adopted as companies expected. Nonetheless, this October update included a major upgrade to the Microsoft AppX container and deployment tools. If you have an Enterprise Microsoft Store for your application, we recommend that you install / uninstall both the AppX application and its associated runtime.

For lesser-used Windows feature topics, Microsoft NTFS The file system has been updated Fix symbolic links (Useful for UNIX migration). If you are in the middle of a large UNIX migration, we recommend that you pause a bit and test large (and parallel) file transfers before deploying this update.

Known issues

Every month, Microsoft publishes a list of known operating system and platform-related issues included in the update cycle. We have referred to some important issues related to the latest build of Microsoft, including:

  • For devices with Windows installations created from custom offline media or custom ISO images, this update may remove Microsoft Edge Legacy, but it will not be automatically replaced by the new Microsoft Edge. This issue creates a custom offline media or ISO image by slipstreaming this update to an image without first installing a standalone Service Stack Update (SSU) released after March 29, 2021. It only happens if you do.

Major revisions

As of this writing about this July update cycle, there were two major updates to the previously released updates.

  • CVE-2021-38624: The security features of the Windows Key Storage Provider bypass the vulnerability. This was Microsoft’s third attempt to patch this Windows key storage component and unfortunately required a major upgrade. This month’s affected systems include Windows 11. Microsoft strongly recommends that you take immediate action to update your system.
  • CVE-2021-33781: Azure AD security feature bypass vulnerability. Again, another third will try to solve this problem. However, for this Azure AD issue, these latest changes provide more information (fixed CVE titles and documentation) and include an updated list of affected systems that includes Windows 11. .. No further action is required here.

Mitigation and workarounds

  • CVE-2021-40444: Microsoft is investigating reports of MSHTML remote code execution vulnerabilities affecting Windows. The company uses specially crafted Microsoft Office documentation to recognize targeted attacks that attempt to exploit this vulnerability. An attacker could create a malicious ActiveX control used in a Microsoft Office document that hosts a browser rendering engine.

Each month, the update cycle is categorized into product families (defined by Microsoft) in the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development Platform ( ASP.NET Core, .NET Core, Chakra Core);
  • Adobe (retired ???, not yet).

browser

Microsoft has published 33 updates to the Chromium-based Edge browser during this cycle. Given that Chromium is not deeply integrated into the desktop or server operating system, potential conflicts and dependency issues are unlikely. Chromium project update cycle andRelease notes here..

However, one of the key components of Internet Explorer (IE) (IEFRAME.DLL) has been updated this month. Third-party applications and in-house developed software may depend on this key library. With this particular update, it looks like Microsoft has changed the way browsers handle tabs, especially how they are created. If your test encounters an “invalid reference counting invalid pointer” (or similar) error, it may be related to this update to the Core Internet Explorer System Library (DLL). Add both of these groups of browser updates to your regular update schedule.

Windows

This month, Microsoft released four key updates to the Windows ecosystem and 45 more patches that were rated as important.Unfortunately, updated CVE-2021-40449 In the case of the Windows kernel, it has been reported to have been abused. This combines low-level updates that are difficult to test on Windows core systems with mitigation or patch urgency. We’ve included test guidance in the section above, which covers many of the changes in Windows this month. However, testing kernel updates is very difficult. Thoroughly test your core apps and release updates in a ring or phase to add this update to your PatchNow schedule.

Microsoft office

Microsoft has released 16 updates to Microsoft Office and Microsoft SharePoint, one of which was rated critical (1)CVE-2021-40486) Remaining patches that affect Microsoft Word and affect Excel and SharePoint. Word’s security issues are serious, but they haven’t been published and haven’t been reported to have been abused. Note: SharePoint must be restarted after the update. We recommend that you add these to your regular patch release schedule.

Microsoft Exchange Server

Unfortunately, the Microsoft Exchange Server update is back in October. Exchange Server has four patches (both 2016 and 219), all rated as important. However, CVE-2021-36970 According to the vulnerability assessment system, the base rating is 9.0. CVSS.. This is very high (in a serious sense) and usually requires a critical review from Microsoft. However, because the “range” of the vulnerability is limited, the potential damage is greatly reduced.

Microsoft has released an updated document detailing some known issues related to this month’s Exchange Server patch, where manually applying MSP files does not install all the required files correctly. In addition, accidentally applying this update can leave your Exchange server in an invalid state. This issue applies to the next October update.

This installation issue is of particular concern when applying updates using User Account Control (UAC) and does not occur when using Microsoft Update. Note that otherwise this Exchange update will require a server restart. We recommend that you add this update to your regular update schedule.

Microsoft development platform

This month, Microsoft released three updates to Visual Studio and one patch for .NET 5.0. Everything is rated as important by Microsoft and in the worst case can lead to disclosure or “denial of service” (application-specific and localized). Updating Visual Studio is very easy and should be included in the standard development release life cycle.

Adobe (really just a leader)

Adobe has released four updates to its core reader product group, including security bulletins. APSB1221-104.. Two of these updates (CWE-416 When CWE-787). Rated critical by Adobe.While both of these have CVSS A score of 7.8 (quite high for a PDF reader) does not require an urgent update. Add these to your regular update schedule.

Copyright © 2021 IDG Communications, Inc.

Four zero-day exploits add urgency to Tuesday’s October patch

Source link Four zero-day exploits add urgency to Tuesday’s October patch

Exit mobile version