Patching isn’t enough for December’s Patch Tuesday

This month’s Patch Tuesday update is important for a number of reasons. With 67 unique vulnerabilities addressed, six publicly reported issues, and one already exploited, this month’s updates still pale in comparison to deal with Log4j issue. (Fortunately, there are no browser or Microsoft Exchange updates and minimal changes to Microsoft Office.)

We have added Windows and Visual Studio updates to our “Patch Now” release cycle recommendations, while Office updates are relegated to a normal release cadence. You can find more information about the risk of implementing these Patch Tuesday updates in this infographic.

Key test scenarios

No high-risk changes were reported on the Windows platform this month. However, there is a reported functional change and an additional feature. Here are our top-level testing recommendations:

  • Try local printing. Try remote printing and test printing over RDP.
  • Try reading or processing ETL files and large WMF files.
  • Test existing and new VPN connections. Include a site-to-site VPN test.
  • Try NTFS short naming and large file transfer scenarios.

Known issues

Every month Microsoft includes a list of known issues related to the operating system and platforms included in this update cycle. I have referenced some key issues related to the latest versions, including:

  • After installing updates released on April 22, 2021 or later, an issue occurs that affects versions of Windows Server used as Key Management Services (KMS) hosts. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 may not activate. These problems will not affect Windows activation. Microsoft is currently investigating the problem.
  • After installing this update, when connecting to devices in an untrusted domain using Remote Desktop, the connections may not be authenticated when using smart card authentication. This issue is resolved by known issue rollback (KIR), which can be implemented with the following Group Policy installation files:

One of the best ways to see if there are known issues that could affect your target platform is to check the many configuration options for downloading patch data in the Microsoft Security Update Guide wave summary page of this month’s security update.

Important revisions

Microsoft released four updates for informational reasons (documentation updates and FAQs) including: CVE-2021-43236, CVE-2021-43883, CVE – 2021‑43893, CVE – 2021‑43905. Additionally, Microsoft released several major updates from previous patches, including:

  • CVE-2019-0887, CVE-2020-0655 Y CVE-2021-1669: These Remote Desktop Service RCE updates received a major hotfix notice due to an updated table from the affected system. Windows 11 is affected by these security issues and this patch is applied accordingly.
  • CVE-2021-24084: The scope of affected systems has been updated to all supported Windows systems.

Due to the greater scope of these patches, you may not have downloaded and applied them in November. This month, all four updates will be included in the patch cycle (although their dates may reflect a November release date).

Mitigations and solutions

This month, there is a single reported vulnerability that includes both mitigation and documented fixes:

  • CVE – 2021‑43890Microsoft has released a comprehensive set of fixes for this AppX spoofing vulnerability. Using the GPO policies BlockNonAdminUserInstall and AllowAllTrustedAppToInstall, it is possible to reduce the surface area for side-loading attacks in the AppX installer. Microsoft has published a detailed instruction document on configuring GPO policies for AppX (and now MSIX).

Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft development platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • And Adobe. (Retired? Maybe next year).

Browsers

This month, the Chromium project released 16 updates for the Microsoft Edge browser. We’re really seeing a trend here, with no updates for Microsoft’s legacy browsers. These updates are most likely part of an automatic update process for your desktop environment, as these updates will not be rolled out through Microsoft Update.

You can get more information at Chrome Launch Blog and security details in the Chrome safety page. Given the nature of Edge (not fully integrated into the operating system), there are very few compatibility or integration bugs expected with this release. Add these Chrome updates to your regular update launcher.

Windows

December brings a moderate update to Windows with 36 updates; three are rated critical by Microsoft and the remaining 33 as important. Normally, we focus on the critical patches. But this month it is more appropriate to focus on publicly disclosed and exploited vulnerabilities, including:

This month we have “only” one vulnerability reported as exploited in the wild, with a sideload spoofing attack on the Microsoft AppX installation component (CVE – 2021‑43890). Fortunately, this is a complex attack that requires user intervention, and Microsoft has confirmed an official fix for this problem. Given the focus on core system component updates (NTFS, installer, and printing), we’ve included some test recommendations:

  • Test server and desktop to send / receive heavy traffic. Focus on very large and single files.
  • Test your .WMF files (due to codec update) and any graphically intensive D3D applications.
  • Try various network traffic conditions, particularly with large data transfers, especially SMB, encrypted file systems, and remote shares.
  • Install, update and uninstall your main applications in a test environment. Make sure all uninstalls are clean.
  • Test your printing, especially remote printing, and printing via RDP.
  • All applications that use TLS / SSL must undergo a basic “smoke test”.

What about that Log4j problem? Patching the operating system is not enough to protect your environment. We highly recommend an immediate scan of your app portfolio for JAVA dependencies and references to Log4j components. This week’s news on Log4j issues is just the beginning. Expect large-scale industrialized attacks during the Christmas period and in the new year. It’s going to be bad. It is going to be complicated.

Add these Windows updates to your “Patch Now” program and start working to reduce your application’s attack surface.

Microsoft Office

Microsoft released nine patches for Office, all rated as important. All versions of SharePoint and Access are affected, as are the 2016 and 2019 versions of Word. There are no preview panel attack vectors this month, and all reported vulnerabilities require user interaction. Add these Microsoft Office updates to your regular patch release schedule.

Microsoft Exchange Server

Log4j’s problem may be carbon in your stock, but Microsoft has gifted us a reprieve from any Microsoft Exchange updates this month. So that you can pay more attention to other things, such as Christmas. Or Log4j. You choose.

Microsoft development platforms

Microsoft released seven updates to its development platforms this month (one critical and the rest rated important) affecting Visual Studio, PowerShell, and the ASP.NET/.NET framework. The only critically rated patch (CVE – 2021‑43907) is related to the popular WSL extension; if not fixed, it could lead to a remote code execution scenario. It is quite a serious problem that will affect all WSL users. Unfortunately, the test profile will be quite large with the testing requirements for the .NET COM server and REGEX expressions.

We suggest that you add this Visual Studio update to your “Patch Now” program and also refer to additional (and separate) updates related to .NET posted on the Microsoft Dev blog.

Adobe (really only Reader)

This month, Microsoft did not release an update for Adobe Reader. I still think I can remove this section, but we keep getting regular updates from Adobe or critical printing updates for PDF files. Let’s see what happens in 2022.

And, if you made it that far …

Due to minimal operations during the holidays and the upcoming New Years holidays, Microsoft will not release a preview version (known as the “C” version) by December. Normal monthly service for Microsoft versions B and C will resume in January. Windows 10, version 2004, has reached the end of service as of this version. It is likely that next month we will see an update to the TLS protocol for Windows Server 2008 with support for TLS 1.2.

Copyright © 2021 IDG Communications, Inc.

Leave a Comment