Updates to Exchange and Microsoft Installer drive Patch Tuesday testing

This is a relatively light update from Microsoft’s Patch Tuesday, although there are significant vulnerabilities on the Windows platform (CVE-2021-38631 and CVE-2021-41371), both related to the handling of the Remote Desktop Protocol, have been disclosed and are lending some urgency to the application of Windows updates. And we also have another technically challenging update to manage for Microsoft Exchange Server.

Pay close attention to servicing stack updates (SSU) this month as it may affect the way your apps are installed (with particular attention to the uninstall process). Microsoft has already said that there won’t be a C patch cycle release next month, which means the December Patch Tuesday release should be light. You can find more information about the risk of implementing these Patch Tuesday updates with this infographic.

Key test scenarios

No high-risk changes have been reported on the Windows platform this month. However, there is a reported functional change and an additional feature:

  • You will have to test your printers again. Try using Notepad first, then Adobe Reader (PDF) and include images (PNG, JPG, BMP). Testing is especially important if you have V3 printer drivers.
  • If your line of business applications are using COM (or God forbid DCOM), you will need a complete test. Changes to the COM STA threading model could lead to difficult troubleshooting situations.
  • Using Microsoft Movies and TV app, play MP4 videos and check for audio problems.
  • You may not be using Internet Explorer (IE), but your applications may have dependencies on IE components (IEFRAME.DLL). Assess your application portfolio for this key dependency, then test the Office component integration issues and tabbed browsing.
  • Also, take a look at Microsoft timelineas minor changes have been made to the way your data is managed.

The biggest problem (or engineering task) this month is the need to validate that your applications install, repair, update and uninstall correctly. Check your Windows Installer logs (0 for success). I think this is a great job, as we normally focus on installing applications; this time we have to look at how the applications are uninstalled. Once an application has been uninstalled, the target machine should be clean, error logs empty, and no broken applications. Doing this correctly will allow the next MSI installer update to run smoothly.

Known issues

Every month Microsoft includes a list of known issues related to the operating system and platforms included in this update cycle. Here are some key issues related to the latest versions of Microsoft, including:

  • After installing on June 21, 2021 (KB5003690), some devices cannot install new updates, such as July 6, 2021 (KB5004945) or later updates. You will receive the “PSFX_E_MATCHING_BINARY_MISSING” error message. For more information and a workaround, see KB5005322.
  • Some Windows 10 LTSC systems are encountering a problem after install KB4493509. Devices with some Asian language packs installed may receive the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. Microsoft is currently working on a solution.
  • Windows print clients may encounter the following errors when connecting to a shared remote printer on a Windows print server: 0x000006e4 (RPC_S_CANNOT_SUPPORT), 0x0000007c (ERROR_INVALID_LEVEL), 0x00000709 (ERROR_INVALID_PRINTER_NAME). Microsoft is working on this problem. We hope that there will be an OOB update to address these issues before the December B release (Patch Tuesday). The good news here is that most of these reported printer issues are related to corporate environments (for example, print servers combined with a domain controller); most home users will not be affected by security problems or printing problems.

After installing this month’s update from Microsoft, connecting to devices in an untrusted domain using Remote Desktop might not be authenticated when using smart card authentication. You may receive the message “Your credentials did not work.” This issue is resolved by rolling back known issues (KIR) – which is kind of exciting. Microsoft now allows policy-based managed code execution paths. In case you run into problems, you can reverse the execution path of the affected files, putting that snippet of code in a “pre-patch” state. To do this successfully, you must ensure that you have the correct policy files for your platform. You can find the relevant policy files for each version of Windows here:

One of the best ways to see if there are known issues affecting your target platform is to check the many configuration options for downloading patch data on the Microsoft Security Update Guide site or the summary page of this month’s security update.

Important revisions

There are no major hotfixes (or even documentation updates) this month.

Mitigations and solutions

As of November 12, Microsoft has not released any mitigation or workarounds related to this month’s update cycle.

Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired ???, not yet).

Browsers

Microsoft has released a single major update for Microsoft Edge. In essence, this patch is an update to the Chromium code, but it affects how Edge IE mode Opera. The potential business impact of this update is marginal, so please add this relatively straightforward update to your regular release schedule.

Windows

The Microsoft Windows platform received 28 updates, three of which were considered critical and the remaining patches were considered important. The biggest concern is the two publicly reported remote desktop protocols (RDP) issues (CVE-2021-38631 and CVE-2021-41371). Microsoft has been working extensively on the RDP protocol over the past year with significant updates released with every Patch Tuesday. I’ve always had my doubts about RDP, although Microsoft offers some guide and instruments to protect your remote desktops. Given the recent supply chain problems, and the lack of fully integrated RDP alternatives, I think patching early is often our best option. Add these updates to your Windows “Patch Now” program.

Microsoft Office

Microsoft released four updates, all of which were rated as important. Affecting Access, Word, and Excel, these vulnerabilities require both local access to the target system and user interaction. Unfortunately, an Excel related issue (CVE-2021-42292) has been reported as exploited (although registered by Microsoft as proof of concept). Although these Office-related security issues are not “worm,“A publicly reported exploitation of a remote code execution vulnerability significantly increases the risk for enterprise customers. Please add these updates to your ‘Patch Now’ release program.

Microsoft Exchange Server

Microsoft released three major updates (CVE-2021-1349, CVE-2021-42305, CVE-2021-42321) for Exchange Server this month. All three updates link to a single Knowledge Base (KB) article, KB5007049. These updates will require a server restart and there is a clear chance that this could cause an installation failure or break the Exchange server (“outage” as if there was no remote login). There are a number of known issues with this update related to manual installations and UAC issues. Thoroughly test this update before any production deployment.

Microsoft development platforms

This month’s update is a bit more interesting than usual. We have two updates (both rated as important) to Visual Studio that could lead to elevation of privilege scenarios. And, unusually, Microsoft has added a Open source vulnerability of the project from August to the November update of this month. The critically rated issue in the OpenSSL cryptography framework (CVE-2021-3711) is consumed by Microsoft Visual Studio and was therefore considered a significant risk for Visual Studio users. This is a great call from Microsoft and it really shows their commitment to these kinds of open source projects. Add these updates to your regular developer deployment schedule.

Adobe (really only Reader)

This month, Adobe posted three lower-rated issues affecting its RoboHelp (APSB21-87), In copy (APSB21-110) and Creative Cloud desktop (APSB21-111) Applications. Although there are no updates for Adobe Reader, we recommend that you test your PDF printing due to changes in the Windows printing system. Also, you may need to verify that the automatic update feature is still working in Adobe Reader once this month’s update has been installed.

Copyright © 2021 IDG Communications, Inc.

Leave a Comment