Patch Tuesday: Two zero-day flaws in Windows immediate zero-day attention

Microsoft’s December Patch Tuesday update delivers 59 fixes, including two zero-days (CVE-2022-44698 Y CVE-2022-44710) that require immediate attention on the Windows platform. This is a network (TCP/IP and RDP) centric upgrade that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).

Microsoft also released an urgent out-of-band update (CVE-2022-37966) to troubleshoot serious Kerberos authentication issues. (The Readiness team has provided a useful infographic which describes the risks associated with each of these updates).

And Windows Hot-Patching for Azure Virtual Machines (VMs) is Now available.

Known issues

Each month, Microsoft includes a list of known issues related to the operating system and platforms included in this update cycle.

• ODBC: After installing the December update, applications that use ODBC connections through the Microsoft ODBC SQL Server driver (sqlsrv32.dll) to access databases may fail to connect. You may receive the following error messages: “EMS system encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server.”
• RDP and Remote Access: After installing this or later updates on Windows desktop systems, you may not be able to connect to (Microsoft) again Direct access after temporarily losing network connectivity or transitioning between Wi-Fi networks or hotspots.
• Hyper-V: After installing this update on Hyper-V hosts managed by System Center Virtual Machine Manager configured with SDN (VMM), you might receive an error in workflows related to creating a new network adapter (also called a network interface card or NIC) attached to a VM network or a new virtual machine (VM).
• Active Directory: Due to additional security requirements to address security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain network join requests. These additional checks may result in the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Security policy blocked account reuse.”

In preparation for this month’s upgrade to Windows 10 and 11 systems, we recommend running an evaluation on all application packages and looking for a dependency on the SQLSRV32.DLL system file. If you need to inspect a specific system, open a command prompt and run the command “tasklist /m sqlsrv32.dll”. This should list all the processes that depend on this file.

important revisions

Microsoft released only one hotfix this month, with no other hotfixes from previous patches or updates.

• CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability – To address a known issue where Kerberos authentication might fail for user, computer, service, and GMSA accounts when the service is performed by Windows domain controllers. This patch revision has been released as a rare out-of-band update and will require immediate attention, if it has not already been addressed.

Mitigations and Workarounds

While several documentation updates and FAQs have been added to this release, Microsoft released only one mitigation:

• CVE-2022-37976: Active Directory Certificate Elevation: A system is vulnerable to this security vulnerability only if both the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on the system. same server on the network. Microsoft has released a set of registry keys (LegacyAuthenticationLevel) that can help reduce the surface of this problem. You can learn more about how to protect your systems here.

test guide

Each month the team Preparation analyzes the latest updates and provides testing guidance. This guide is based on the evaluation of a large portfolio of applications and a detailed analysis of Microsoft patches and their potential impact on Windows platforms and application installations.

Given the large number of changes included in this cycle, I have broken down the test scenarios into high-risk and standard-risk groups.

High risk: This month, Microsoft has not registered any high-risk functionality changes. This means that you have not made any major changes to the core APIs or functionality of any of the core components or applications included in the Windows desktop and server ecosystems.

More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:

• Bluetooth: Microsoft has updated two sets of key API/Header files for Bluetooth drivers, including: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL Y DeviceIoControl function. The key test task here is to enable and then disable Bluetooth, making sure that your data connections continue to work as expected.
• GIT: Git’s virtual file system (VfSForGit) was updated with changes to file and record mappings. You can read more about this key (internal) Windows development tool here.

In addition to these changes and testing requirements, I’ve included some of the more difficult test scenarios for this update:

• Windows Kernel – There is a large update to the Windows kernel (Win32kfull.sys) this month that will affect the main desktop UI experience. Key patched features include the Start menu, Settings applet, and File Explorer. Given the huge UI test footprint, a larger test pool may be required for your initial deployment. If you still see your desktop or taskbar, take that as a positive sign.

After last month’s upgrade to Kerberos authentication, several issues related to authentication were reported, especially on remote desktop connections. Microsoft details the following scenarios and related issues addressed this month:

• Domain user login may fail. This could also affect Active Directory Federation Services (AD FS) authentication.
• Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS web server) might fail to authenticate.
• Remote Desktop connections using domain users may fail to connect.
• You may not be able to access shared folders on workstations and file shares on servers.
• Printing that requires domain user authentication may fail.

All of these scenarios require significant testing before a general rollout of the December Update.

Unless otherwise specified, we must now assume that each Patch Tuesday update will require testing of core printing features, including:

• Printing from directly connected printers.
• add a printer and then delete a printer (this is new for December).
• large print jobs from servers (especially if they are also domain controllers).
• remote printing (using RDP and VPN).
• test physical and virtual scenarios with 32-bit applications on 64-bit machines.

Windows Lifecycle Update

This section includes important service changes (and most security updates) for Windows desktop and server platforms. Since this is an end-of-year update, there are quite a few “End of Service” changes, including:

• Windows 10 (Enterprise, Home, Pro) 21H2 – December 12, 2022.
• Windows 8.1 – January 10, 2023.
• Windows 7 SP1 (ESU): January 10, 2023.
• Windows Server 2008 SP2 (ESU): January 10, 2023.

Each month, we break the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• microsoft office;
• Microsoft Exchange Server;
• Microsoft development platforms ( ASP.NET Core, .NET Core and Chakra Core)
• Adobe (retired???, maybe next year),

browsers

Following a welcome trend of non-critical updates to Microsoft browsers, this update offers just three (CVE-2022-44668, CVE-2022-44708 Y CVE-2022-41115) all rated as important. These updates affect the Microsoft Chromium browser and should have little or marginal impact on your applications. Add these updates to your standard patch release schedule.

windows

Microsoft released patches to the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670Y CVE-2022-41076), with 24 rated as important and two rated as moderate. Unfortunately, this month we have those two zero days affecting Windows with reports of CVE-2022-44698 being exploited in the wild and CVE-2022-44710 being publicly disclosed. We have developed specific testing recommendations, noting that there are reported issues with Kerberos, Hyper-V, and ODBC connections.

Add this update to your “Patch Now” release schedule.

microsoft office

Microsoft addressed two critical vulnerabilities in SharePoint Server (CVE-202244693 Y CVE-2022-44690) that are relatively easy to exploit and do not require user interaction. The remaining two vulnerabilities affect Microsoft Visio (CVE-2022-44696 Y CVE-2022-44695) and are low-profile, low-impact changes. Unless you’re hosting your own SharePoint servers (why?), add these updates from Microsoft to your standard release schedule.

Microsoft Exchange Server

Microsoft has not released security updates, patches, or mitigations for Microsoft Exchange Server. Phew!

Microsoft development platforms

Microsoft addressed two critical vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Although both security issues are classified as critical, they require local administrator access and are considered difficult and complex to exploit. by Mark Rusinovich system also needs an update with the elevation of privilege vulnerability CVE-2022-44704 and all supported versions of Visual Studio will be patched. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but not this month)

Adobe has released three category 3 (equivalent to Microsoft Major rating) Illustrator, Experience Manager, and Campaign (Classic) updates. There are no Adobe Reader updates this month.