This month’s Patch Tuesday update is important for several reasons. With 67 unique vulnerabilities addressed, six publicly-reported issues and one already exploited, this month’s updates still pale in comparison to dealing with the Log4j issue. (Fortunately, there are no browser or Microsoft Exchange updates and minimal changes to Microsoft Office.)
We have added the Windows updates and Visual Studio updates to our “Patch Now” release cycle recommendations, while Office updates are relegated to a normal release cadence. You can find more information on the risk of deploying these Patch Tuesday updates in this infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature. Here are our high-level testing recommendations:
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the latest builds, including:
One of the best ways to see if there are known issues that could affect your target platform is to check out the many configuration options for downloading patch data at the Microsoft Security Update guidance or the summary page for this month’s security update.
Microsoft released four updates for informational reasons (documentation and FAQ updates) including: CVE-2021-43236, CVE-2021-43883, CVE-2021-43893, CVE-2021-43905. In addition, Microsoft released several major updates to previous patches, including:
Due to the larger scope of these patches, you may not have downloaded and applied them in November. This month, all four updates will be included in the patch cycle (though their dates may reflect a November release date).
Mitigations and workarounds
This month, there is a single reported vulnerability that includes both mitigation and documented workarounds:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
This month, the Chromium project released 16 updates for the Microsoft Edge browser. We are really seeing a trend here, with no updates to Microsoft’s legacy browsers. These updates are very likely part of an auto-update process for your desktop environment, as these updates will not be deployed via Microsoft Update.
You can find out more in the Chrome Release blog and security details on the Chrome Security Page. Given the nature of Edge (not completely integrated into the OS), there are very few expected compatibility or integration errors expected with this release. Add these Chrome updates to your regular update release schedule.
December brings a moderate update to Windows with 36 updates; three are rated critical by Microsoft and the remaining 33 as important. Normally, we would focus on the critical patches. But this month it’s more appropriate to focus on publicly disclosed and exploited vulnerabilities, including:
This month we have “only” one vulnerability reported as exploited in the wild, with a side-loading spoof attack on the Microsoft AppX installer component (CVE-2021-43890). Fortunately, this is a complex attack that requires user intervention and Microsoft has confirmed an official fix for this issue. Given the focus on updates to core system components (NTFS, Installer, and printing) we have included some testing recommendations:
And about that Log4j issue? Patching the OS is not enough to protect your environment. We highly recommend an immediate scan of your application portfolio for JAVA dependencies and references to Log4j components. This week’s news of Log4j issues is just the beginning. Expect large scale, industrialized attacks over the Christmas period and into the New Year. It’s going to be bad. It’s going to be messy.
Add these Windows updates to your “Patch Now” schedule and get to work on reducing your application attack surface.
Microsoft released nine patches for Office, all rated important. All versions of SharePoint and Access are affected, as are versions 2016 and 2019 of Word. There are no preview pane attack vectors this month, and all of the reported vulnerabilities require user interaction. Add these Microsoft Office updates to your regular patch release schedule.
Microsoft Exchange Server
The Log4j issue may be the coal in your stocking, but Microsoft has gifted us a reprieve from any Microsoft Exchange updates this month. So you can pay more attention to other things, like Christmas. Or Log4j. You choose.
Microsoft Development Platforms
Microsoft published seven updates to its development platforms this month (one critical and the remaining rated as important) that affect Visual Studio, PowerShell, and the ASP.NET/.NET framework. The single critical rated patch (CVE-2021-43907) relates to the popular WSL extension; if unpatched, it could lead to a remote-code execution scenario. It’s a pretty serious issue that will affect all WSL users. Unfortunately, the testing profile will be quite large with testing requirements for the .NET COM server and REGEX expressions.
We suggest that you add this Visual Studio update to your “Patch Now” schedule and also reference the additional (and separate) .NET related updates published on the Microsoft Dev blog.
Adobe (really just Reader)
This month, Microsoft did no release any update to Adobe Reader. I keep thinking that I can retire this section, but we keep getting periodic updates from Adobe or critical printing updates for PDF files. Let’s see what happens in 2022.
And, if you got this far…
Because of minimal operations during the holidays and the upcoming new year break, Microsoft will not release a preview release (known as a “C” release) for December. Normal monthly servicing for both Microsoft B and C releases will resume in January. Windows 10, version 2004 has reached end of servicing as of this release. Next month we are likely to see an update to the TLS protocol for Windows Server 2008 with support for TLS 1.2.
This content was originally published here.