Welcome to 2022 and a new year of excitement in patch management! I’ve been in this industry for almost 40 years and I can honestly say that there is rarely a boring day. If you are ready to take on the challenges posed, it is a great industry to work in and I hope you all look forward to the start of the new year too. Let’s take a look at some of the recent events that will affect this month’s patch releases.
I finished last month’s forecast article calling 2021 the “year of the supply chain attacks,” and that trend continues. Malware in Atera Remote Management Software uses Microsoft’s 2012 digital signature verification vulnerabilities to load ZLoader and steal account credentials.
Although these vulnerabilities have been fixed, the changes are not enabled by default. Microsoft Security Advisory 2915720 from 2017 offers further details on Authenticode and WinVerify Trust functionality with recommendations for action. Despite the old vulnerabilities, this is a new attack and I’m sure we’ll hear more from Microsoft with possible changes in next week’s patches.
The zero-day vulnerability in the Java-based logging library Apache Log4j took the software industry by storm in mid-December. This library is widely used in both enterprise and cloud service software. Although Apache released the zero-day fix for CVE-2021-44228, it will take a while for companies using this library to update, test, and release a new version.
To complicate the situation, a total of four additional CVEs related to the Log4Shell bug were identified in the past month, the most recent being CVE-2021-44832. To keep the industry moving, Apache released several updates to this library, now up to version 2.17.1. SaaS products can be updated quickly on DevOps, but traditional software products can take much longer to update in the field, making them vulnerable to exploitation.
Microsoft was busy preparing for the first Patch Tuesday of 2022 Out-of-band update for Windows servers that have “a black screen, slow logon, or general slowdown”. These updates were originally a limited version but are now available to all servers. It was also published as a script on Exchange Server 2016 and Exchange Server 2019, which resolves a date validation issue where messages get stuck in the transport queue. We need to see if these updates manifest in upcoming cumulative patches.
January 2022 Patch Tuesday forecast
- I mentioned that Microsoft was already busy fixing several issues this year so we may see more than the 29 and 30 vulnerabilities fixed in Windows 11 and 10, respectively. I expect we’ll see updates to Exchange Server and maybe .NET as well.
- The last Year 2 Extended Security Updates (ESU) for Windows 7 and Server 2008/2008 R2 will be released next week. If you still need support for Year 3, be sure to renew all of your licenses to ensure there are no disruptions in February.
- Expect an update to Adobe Acrobat and Reader next week. Updates for most Adobe products were released on December 14th. So make sure you have these included in your update plan.
- Mozilla hasn’t released its usual pre-patch Tuesday updates for Firefox, Firefox ESR, and Thunderbird, so expect those security updates next week.
I looked back on my forecast article from January 2021 and, surprisingly, the focus was on identifying and maintaining third-party software embedded in enterprise products. With the malicious code in the Atera product and the scramble to update Apache’s Log4Shell vulnerability, this old advice is really new again!
This content was originally published here.