June’s Patch Tuesday updates, launched on June 14, deal with 55 vulnerabilities in Home windows, SQL Server, Microsoft Place of work, and Visible Studio (although there are oo Microsoft Alternate Server or Adobe updates this month). And a zero-day vulnerability in a key Home windows element, CVE-2022-30190, resulted in a “Patch Now” advice for Home windows, whilst the .NET, Place of work and SQL Server updates can also be integrated in a regular unencumber time table.
You’ll be able to in finding additional information at the menace of deploying those Patch Tuesday updates in this infographic.
Key trying out eventualities
Given the huge choice of adjustments integrated on this June patch cycle I’ve damaged out the trying out eventualities for prime menace and usual menace teams.
Those high-risk adjustments are more likely to come with capability adjustments, would possibly deprecate current purposes, and can most likely require new trying out plans. Check your signed drivers the use of bodily and digital machines, (BIOS and UEFI) and throughout all platforms (x86, 64-bit):
- Run programs that experience binaries (.EXE and .DLL) which might be signed and unsigned.
- Run drivers which might be signed and unsigned. Unsigned drivers will have to no longer load. Signed drivers will have to load.
- Use SHA-1 signed as opposed to SHA-2 signed drivers.
Each and every of those high-risk verify cycles should come with a guide shut-down, reboot, and restart. The next adjustments aren’t documented as together with purposeful adjustments, however will nonetheless require no less than “smoke testing” earlier than common deployment:
- Check far flung Credential Guard eventualities. (Those exams would require Kerberos authentication, and would possibly handiest be used with the RDP protocol.)
- Check your Hyper-V servers and get started/forestall/resume your Digital Machines (VM).
- Carry out shadow replica operations the use of VSS-aware backup programs in a far flung VSS deployment over SMB.
- Check deploy pattern programs the use of AADJ and Intune. Make certain that you deploy and revoke get right of entry to as a part of your verify cycle.
Along with those usual trying out pointers, we advise that each one core programs go through a trying out regime that comes with self-repair, uninstall, and replace. That is because of the adjustments to Home windows Installer (MSI) this month. No longer sufficient IT departments verify the replace, fix, and uninstall purposes in their utility portfolio. It’s worthwhile to problem every utility package deal as a part of the High quality Assurance (QA) procedure that comes with the important thing utility lifecycle levels of set up, activation, replace, fix, after which uninstall.
No longer trying out those levels may just depart IT programs in an unwanted state — on the very least, it’ll be an unknown state.
Recognized problems
Each and every month, Microsoft features a record of recognized problems that relate to the working formula and platforms affected this cycle. This month, there are some complicated adjustments to imagine, together with:
- After putting in this June replace, Home windows units that use positive GPUs would possibly purpose programs to near hastily or purpose intermittent problems. Microsoft has printed KB articles for Home windows 11 (KB5013943) and Home windows 10, model 21H2, all editions (KB5013942). No resolutions for those reported problems but.
- After putting in this month’s replace, some .NET Framework 3.5 apps would possibly have problems or fail to open. Microsoft mentioned you’ll be able to mitigate this factor by means of re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.
As you can be conscious, Microsoft printed an out-of-band update (OOB) ultimate month (on Might 19). This replace affected the next core Home windows Server primarily based networking options:
The safety vulnerabilities addressed by means of this OOB replace handiest impacts servers working as area controllers and alertness servers that authenticate to area controller servers. Desktop platforms aren’t affected. Because of this previous patch, Microsoft has really helpful that this June’s replace be put in on all intermediate or utility servers that cross authentication certificate from authenticated purchasers to the area controller (DC) first. Then set up this replace on all DC function computer systems. Or pre-populate CertificateMappingMethods to 0x1F as documented within the registry key information phase of KB5014754 on all DCs. Delete the CertificateMappingMethods registry atmosphere handiest after the June 14 replace has been put in on all intermediate or utility servers and all DCs.
Did you get that? I should notice with a definite sense of irony, that probably the most detailed, order-specific set of directions that Microsoft has ever printed (ever), are buried deep, mid-way thru an overly lengthy technical article. I’m hoping everyone seems to be paying consideration.
Main revisions
Regardless that we have now fewer “new” patches launched this month, there are numerous up to date and newly launched patches from earlier months, together with:
- CVE-2021-26414: Home windows DCOM Server Safety Function Bypass. After this month’s updates are put in, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers might be enabled by means of default. Shoppers who wish to achieve this can nonetheless disable it by means of the use of the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has printed KB5004442 to assist with the configuration adjustments required.
- CVE-2022-23267: NET and Visible Studio Denial of Carrier Vulnerability. It is a minor replace to affected programs (now affecting the MAC platform). No additional motion required.
- CVE-2022-24513: Visible Studio Elevation of Privilege Vulnerability. It is a minor replace to the record of affected programs (now affecting the MAC platform). No additional motion required.
- CVE-2022-24527: Microsoft Endpoint Configuration Supervisor Elevation of Privilege. This main replace to this patch is a little of a multitude. This patch was once mistakenly allotted to the Home windows safety replace workforce. Microsoft has got rid of this Endpoint supervisor from the Home windows workforce and has supplied the next choices to get right of entry to and set up this hot-fix:
- Improve to Configuration Supervisor present department, model 2203 (Construct 5.00.9078), which is to be had as an in-console replace. See Checklist for installing update 2203 for Configuration Manager for more info.
- Follow the hotfix. Shoppers operating Microsoft Endpoint Configuration Supervisor, variations 1910 thru variations 2111 who aren’t ready to put in Configuration Supervisor Replace 2203 (Construct 5.00.9078) can obtain and set up hot-fix KB12819689.
- CVE-2022-26832: .NET Framework Denial of Carrier Vulnerability. This replace now contains protection for the next affected platforms: Home windows 10 model 1607, Home windows Server 2016, and Home windows Server 2016 (Server Core set up). No additional motion required.
- CVE-2022-30190: Microsoft Home windows Give a boost to Diagnostic Software (MSDT) Far flung Code Execution Vulnerability. This patch is non-public — we have been suffering from this factor with huge server efficiency spikes. If you’re having issues of MSDT, you wish to have to learn the MSRC blog post, which incorporates detailed directions on updates and mitigations. To resolve our problems, we needed to disable the MSDT URL protocol, which has its personal issues.
I believe that we will safely paintings throughout the Visible Studio updates, and the Endpoint Configuration Supervisor adjustments will take a while to enforce, however each adjustments don’t have important trying out profiles. DCOM adjustments are other — they’re difficult to check and most often require a industry proprietor to validate no longer simply the set up/instantiation of the DCOM items, however the industry common sense and the specified results. Make certain that you could have a complete record of all programs that experience DCOM dependencies and run thru a industry common sense verify, or you could have some unsightly surprises — with very difficult-to-debug troubleshooting eventualities.
Mitigations and workarounds
For this Patch Tuesday, Microsoft printed one key mitigation for a major Home windows vulnerability:
- CVE-2022-30136: Home windows Community Record Machine Far flung Code Execution Vulnerability. That is the primary time I’ve noticed this, however for this mitigation, Microsoft strongly recommends you put in the Might 2022 replace first. As soon as carried out, you’ll be able to scale back your assault floor space by means of disabling NFSV4.1 with the next PowerShell command: “PS C:Set-NfsServerConfiguration -EnableNFSV4 $false”
Making this transformation would require a restart of the objective server.
Each and every month, we damage down the replace cycle into product households (as outlined by means of Microsoft) with the next fundamental groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Place of work;
- Microsoft Alternate;
- Microsoft Building platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, possibly subsequent yr).
Browsers
We’re seeing a welcome development of fewer and less essential updates to all of the Microsoft browser portfolio. For this cycle, Microsoft has launched five updates to the Chromium model of Edge. They’re all low menace to deploy and unravel the next reported vulnerabilities:
A key issue on this downward development of browser comparable safety problems, is the decline and now retirement of Internet Explorer (IE). IE is formally now not supported as of this July. The future of Microsoft’s browsers is Edge, in line with Microsoft. Microsoft has supplied us with a video assessment of Web Explorer’s retirement. Upload those Chromium/Edge browser updates for your usual utility unencumber time table.
Home windows
With 33 of this month’s 55 Patch Tuesday updates, the Home windows platform is the main center of attention — particularly given the low-risk, low-profile updates to Microsoft Browsers, Place of work, and building platforms (.NET). The Home windows updates quilt a large base of capability, together with: NTFS, Home windows networking, the formats (media) libraries, and the Hyper-V and docker parts. As discussed previous, probably the most difficult-to-test and troubleshoot would be the kernel updates and the native safety sub-system (LSASS). Microsoft recommends a ring-based deployment means, which is able to paintings smartly for this month’s updates, essentially because of the choice of core infrastructural adjustments that are meant to be picked up in early trying out. (Microsoft has printed any other video in regards to the adjustments this month to the Home windows 11 platform, found here.)
Microsoft has fastened the widely-exploited Home windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the opposite 3 essential updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) ends up in a “Patch Now” advice.
Microsoft Place of work
Microsoft launched seven updates to the Microsoft Place of work platform (SharePoint, Excel, and the Place of work Core basis library), they all rated necessary. The SharePoint server updates are rather low menace, however would require a server reboot. We have been to begin with anxious in regards to the RCE vulnerability in Excel, however on evaluation it sounds as if that the “far flung” in Far flung Code Execution refers back to the attacker location. This Excel vulnerability is extra of an Arbitrary Code Execution vulnerability; for the reason that it calls for person interplay and get right of entry to to an area goal formula, this is a much-reduced menace. Upload those low-profile Place of work updates for your usual patch deployment time table.
Microsoft Alternate Server
We now have a SQL server update this month, however no Microsoft Alternate Server updates for June. This is excellent news.
Microsoft building platforms
Microsoft has launched a unmarried, rather low-risk (CVE-2022-30184) replace to the .NET and Visible Studio platform. If you’re the use of a Mac (I like the Mac version of Code), Microsoft recommends that you simply replace to Mac Visual Studio 2022 (nonetheless in preview) once imaginable. As of July (sure, subsequent month) the Mac model of Visible Studio 2019 will now not be supported. And sure, dropping patch beef up in the similar month as the following model is launched is tight. Upload this unmarried .NET replace for your usual building patch unencumber time table.
Adobe (in point of fact, simply Reader)
There are not any Adobe Reader or Acrobat updates for this cycle. Adobe has launched a security bulletin for his or her different (non-Acrobat or PDF comparable) programs — all of which might be rated on the lowest degree 3 by means of Adobe. There might be quite a lot of paintings with printers within the coming weeks, so it is a welcome aid.
Copyright © 2022 IDG Communications, Inc.