Patch Tuesday: Two zero-day flaws in Windows zero-days immediate attention - Computerworld

Microsoft's December Patch Tuesday updated delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that necessitate contiguous attraction connected the Windows platform. This is simply a web focused update (TCP/IP and RDP) that volition necessitate important investigating with an accent connected ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both section and remote).

Microsoft besides published an urgent out-of-band update (CVE-2022-37966) to code superior Kerberos authentication issues. (The squad astatine Readiness has provided a helpful infographic that outlines the risks associated with each of these updates.)

And Windows Hot-Patching for Azure Virtual Machines (VMs) is now available.

Known issues

Each month, Microsoft includes a database of known issues that subordinate to the OS and platforms included successful this update cycle.

• ODBC: After installing the December update, applications that usage ODBC connections done Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to entree databases mightiness not connect. You mightiness person the pursuing mistake messages: "The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server".
• RDP and Remote Access: After you instal this oregon aboriginal updates connected Windows desktop systems, you mightiness beryllium incapable to reconnect to (Microsoft) Direct Access aft temporarily losing web connectivity oregon transitioning betwixt Wi-Fi networks oregon entree points.
• Hyper-V: After installing this update connected Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you mightiness person an mistake connected workflows involving creating a caller Network Adapter (also called a Network Interface Card oregon NIC) joined to a VM web oregon a caller Virtual Machine (VM).
• Active Directory: Due to further information requirements successful addressing the information vulnerabilities in CVE-2022-38042, caller information checks are implemented connected domain nett articulation requests. These other checks whitethorn make the pursuing mistake message: "Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An relationship with the aforesaid sanction exists successful Active Directory. Re-using the relationship was blocked by information policy.”

In mentation for the month's update to Windows 10 and 11 systems, we urge runningan appraisal connected each exertion packages and look for a dependency connected the strategy record SQLSRV32.DLL. If you request to inspect a circumstantial system, unfastened a bid punctual and tally the bid "tasklist /m sqlsrv32.dll." This should database immoderate processes that beryllium connected this file.

Major revisions

Microsoft published conscionable 1 revision this month, with nary different revisions to erstwhile patches oregon updates released.

• CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability: To code a known contented wherever Kerberos authentication mightiness neglect for user, computer, service, and GMSA accounts erstwhile serviced by Windows domain controllers. This spot revision has been released arsenic a uncommon out-of-band update and volition necessitate contiguous attention, if not already addressed.

Mitigations and workarounds

While determination were respective documentation updates and FAQs added to this release, Microsoft published a azygous mitigation:

• CVE-2022-37976: Active Directory Certificate Elevation of Privilege: A strategy is susceptible to this information vulnerability lone if some the Active Directory Certificate Services relation and the Active Directory Domain Services relation are installed connected the same server successful the network. Microsoft has published a acceptable of registry keys (LegacyAuthenticationLevel) that tin assistance trim the aboveground country of this issue. You tin find retired much astir protecting your systems here.

Testing guidance 

Each month, the squad astatine Readiness analyzes the latest updates and provides investigating guidance. This guidance is based connected assessing a ample exertion portfolio and a elaborate investigation of the Microsoft patches and their imaginable interaction connected the Windows platforms and exertion installations.

Given the ample fig of changes included this cycle, I person breached down the investigating scenarios into high-risk and standard-risk groups.

High Risk: This month, Microsoft has not recorded immoderate high-risk functionality changes. This means it has not made large changes to halfway APIs oregon functionality to immoderate of the halfway components oregon applications included successful the Windows desktop and server ecosystems.

More generally, fixed the wide quality of this update (Office and Windows) we suggest investigating the pursuing Windows features and components:

• Bluetooth: Microsoft has updated 2 sets of cardinal API/Header files for Bluetooth drivers including: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL and DeviceIoControl function. The cardinal investigating task present is to alteration and past disable Bluetooth, ensuring that your information connections are inactive moving arsenic expected.
• GIT: The Git Virtual File System (VfSForGit) has been updated with changes to the record and registry mappings. You tin work much astir this cardinal (internal) Windows improvement tool here.

In summation to these changes and investigating requirements, I person included immoderate of the much hard investigating scenarios for this update:

• Windows Kernel: This period sees a wide update to the Windows kernel (Win32kfull.sys) that volition impact the superior desktop UI experience. Key features patched see the Start menu, the settings applet, and File Explorer. Given the immense UI investigating surface, a larger investigating radical whitethorn beryllium required for your archetypal roll-out. If you inactive spot your desktop oregon taskbar, instrumentality that arsenic a affirmative sign.

Following past month's update to Kerberos authentication, determination were respective reported issues related to authenticating, particularly crossed remote-desktop connections. Microsoft detailed the pursuing scenarios and related issues addressed this month: 

• Domain idiosyncratic sign-in whitethorn fail. This besides mightiness impact Active Directory Federation Services (AD FS) authentication.
• Group Managed Service Accounts (gMSA) utilized for services specified arsenic Internet Information Services (IIS Web Server) mightiness neglect to authenticate.
• Remote Desktop connections utilizing domain users mightiness neglect to connect.
• You mightiness beryllium incapable to entree shared folders connected workstations and record shares connected servers.
• Printing that requires domain idiosyncratic authentication mightiness fail.

All these scenarios necessitate important investigating earlier a wide deployment of the December update.

Unless different specified, we should present presume that each Patch Tuesday update volition necessitate investigating of halfway printing functions including:

• printing from directly-connected printers.
• add a printer, and past region a printer (this is caller for December).
• large people jobs from servers (especially if they are besides domain controllers).
• remote printing (using RDP and VPNs).
• test carnal and virtual scenarios with 32-bit apps connected 64-bit machines.

Windows lifecycle update

This conception includes important changes to servicing (and astir information updates) to Windows desktop and server platforms. As this is an end-of-year update, determination are rather a fewer "End of Service" changes, including: 

• Windows 10 (Enterprise, Home, Pro) 21H2 - Dec. 12, 2022.
• Windows 8.1 - Jan. 10, 2023.
• Windows 7 SP1 (ESU) - Jan. 10, 2023.
• Windows Server 2008 SP2 (ESU) - Jan. 10, 2023.

Each month, we interruption down the update rhythm into merchandise families (as defined by Microsoft) with the pursuing basal groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
• Adobe (retired???, possibly adjacent year),

Browsers

Following a invited inclination of nary captious updates to Microsoft's browsers, this update delivers conscionable 3 (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) each rated important. These updates impact the Microsoft Chromium browser and should person marginal to debased interaction connected your applications. Add these updates to your modular spot merchandise schedule.

Windows

Microsoft released patches to the Windows ecosystem this period that code 3 captious updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated important and 2 rated moderate. Unfortunately, this period we person those 2 zero-days affecting Windows with reports of CVE-2022-44698 exploited successful the chaotic and CVE-2022-44710 publically disclosed. We person crafted circumstantial investigating recommendations, noting that determination are reported issues with Kerberos, Hyper-V and ODBC connections.

Add this update to your "Patch Now" merchandise schedule.

Microsoft Office

Microsoft addressed 2 captious vulnerabilities successful SharePoint Server (CVE-202244693 and CVE-2022-44690) that are comparatively casual to exploit and bash not necessitate idiosyncratic interaction. The remaining 2 vulnerabilities impact Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are low-profile, debased interaction changes. Unless you're hosting your ain SharePoint servers (oh, why?), adhd these Microsoft updates to your modular merchandise schedule.

Microsoft Exchange Server

Microsoft has not released immoderate updates, patches oregon information mitigations for Microsoft Exchange Server. Phew!

Microsoft improvement platforms

Microsoft addressed 2 captious vulnerabilities successful Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Though some information issues are rated critical, they necessitate section admin entree and are considered some hard and analyzable to exploit. Mark Russinovich's Sysmon besides needs an update with the elevation-of-privilege vulnerability CVE-2022-44704 and each supported versions of Visual Studio volition beryllium patched. Add these updates to your modular developer merchandise schedule.

Adobe Reader (still here, but not this month)

Adobe has released three category 3 (equivalent to Microsoft's standing of important) updates to Illustrator, Experience Manager and Campaign (Classic). No updates to Adobe Reader this month.