Microsoft offers a solid, low-impact Patch Tuesday

March brings us a solid set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues requiring a “Patch Now” release schedule (although Microsoft Exchange will require technical effort this month- this). We have published testing guidelines, focusing on printing, remote desktop over VPN connections, and server-based network changes. We also recommend that you test your Windows installer packages with an emphasis on restore and uninstall functionality.

You can find more information on the risk of rolling out these Patch Tuesday updates with this helpful infographic. And, if you’re looking for more information on .NET updates, there’s a great article from Microsoft which highlights this month’s changes.

Main test scenarios

At least one high-risk change was reported to the Windows platform in March. We’ve included the following rough testing guidelines based on our analysis of changed files and content from this month’s Windows and Office updates:

  • (High risk): test your networked printers via RDP (Remote Desktop Protocol). Microsoft hasn’t released any functional changes for this month’s update, as the changes are due to security concerns.
  • V4 printer driver, remote printing and network-based redirected printer(s).
  • Test your backup and restore processes when using encrypted file systems (DFS).
  • Verify that your VPNs authenticate correctly over the Point-to-Point Tunneling Protocol (PPTP).
  • Test your Windows error reporting processes with Create/Read/Update/Delete (CRUD) for all log files.
  • Locate the application references at NtAlpcCreatePortNtAlpcCreatePort on your Windows servers and validate the results of your application.

If you have time, it might be worth experimenting with UNC paths to DOS boxes (due to several network and authentication stack changes). There was also an update to the FastFAT system driver and comment End-user-defined characters (EUDC) are manipulated. Microsoft has now included the deployment and restart requirements for this March 2022 Update on one page.

Known issues

Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that cycle. There’s more than usual this time around, so I’ve referenced a few key issues with Microsoft’s latest releases, including:

  • After installing this update, when connecting to devices in an untrusted domain using Remote Desktop, connections may fail to authenticate when using card authentication smart. You might get the prompt “Your credentials didn’t work”. As of last month, Microsoft released a number of GPO files that address this issue, including: Windows Server 2022 and Windows 10.
  • After installing updates released on January 11 or later, applications that use the Microsoft .NET Framework to acquire or set Active Directory forest trust information using the System.DirectoryServers The API may fail or generate an error message.

There was an outstanding issue from the January update cycle where the DWM.EXE executable crashes after installation KB5010386. This issue is now resolved. If you’re looking for more data on these types of reported issues, a great resource from Microsoft is the Health center specifically, you can inquire about Windows 10 and Windows 11 Known issues and their current status.

Major revisions

Although there is a much smaller list of patches for this patch cycle, Microsoft has released several revisions to previous patches, including:

  • CVE-2021-3711: This is a Visual Studio November 2021 update. A new release has been updated to include support for the latest versions of Visual Studio 2022. No further action is required.
  • CVE-2021-36927: This updated patch resolves a 2021 TV Tuner codec issue. Microsoft has helpfully released an updated set of documentation for this, noting that the patch is now official and fully resolves the reported issue. No further action required.

Mitigation and Workarounds

This month, Microsoft did not release any mitigations or workarounds for Windows, Microsoft Office, browser, or developer platform updates and fixes. There is an ongoing list of mitigations and updates related to known issues for Microsoft Exchange (these are included in our Exchange section).

Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft development platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired???, maybe next year).

Browsers

Following a trend set by Microsoft over the past few months, only the Chromium Edge browser has been updated. With no critical updates and 21 reported vulnerabilities deemed important by Microsoft, this is another easy update cycle. In addition to fixing potential issues with the Brotli compression engine, you should be able to roll out browser updates on your normal release schedule.

the Windows

Following the trend of fewer updates (in number and kind) this month, Microsoft released only two critical updates (CVE-2022-22006 and CVE-2022-24501). Neither update is likely to affect major platforms, as each fixes a unique video codec and Microsoft Store component. The remaining 40 patches are all considered important by Microsoft and update the following core Windows components:

  • Remote Desktop Client (RDP);
  • Windows Error Log (it was updated monthly this year);
  • Networking (SMB and PTPTP);
  • Windows Update and Windows Installer.

You might want to add Windows Installer testing to your testing regimen this month. Add these Windows Updates to your standard release schedule.

Microsoft Office

If you’ve ever looked for a “low risk” patch profile for Microsoft Office, this month’s updates are a great candidate. Microsoft has released six patches for Office, all considered important. More importantly, they affect either Skype (which isn’t that important) or the “Click to run” (CTR) version of Office. The CTR version is the virtualized, stand-alone version of the Office installation that is pushed to the target system. By design, these installations have little or no effect on the operating system and given the nature of the changes made this month, there is very little risk of deployment.Add these Office updates to your standard deployment schedule.

Microsoft Exchange Server

Finally, a critical Microsoft vulnerability. No wait! Heck, it’s for Exchange. Microsoft Exchange is in the bad books this month with one of the few critical vulnerabilities (CVE-2022-23277). Of the two Exchange-related fixes for March, the other (CVE-2022-24463) is considered important and could lead to a potential credential theft scenario. The critical issue is considered highly exploitable, but requires the attacker to be authenticated. This is not one “vermifuge“, we therefore recommend that you add the Microsoft Exchange updates to your standard server deployment. This update will require a restart of your servers. There have been several published issues with recent Microsoft Exchange updates, and so we’ve included a list of known issues when updating your Exchange servers, including:

  1. When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (i.e. not as administrator) , some files are not updated correctly.
  2. Exchange services may remain in a disabled state after installing this security update. To resolve this issue, start the update process as an administrator.
  3. When you block third-party cookies in a web browser, you may be continually prompted to trust a particular add-in, even if you continue to select the option to trust it.
  4. When you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails with a “(400) Bad Request” error message.

Microsoft has released a workaround for the “400 Bad Request” error..

Microsoft development platforms

Microsoft released only four updates to its developer platforms for March, all of which were deemed significant. Two fixes are for the .NET platform (CVE-2022-24512 and CVE-2022-24464), both of which require user interaction to deliver their payload, leading to an escalation attack at worst. The Microsoft patch that may give you a headache was raised by Google in 2020 (so that’s the CVE id of CVE-2020-8927). This Patch Tuesday update for Brotli can affect how your web pages are compressed (note that I didn’t say “zipped”). Before deploying this update, quickly examine your internal web pages and browser-based applications using Brotli for adverse effects on CSS and JavaScript decompression (hint, hint). Otherwise, add these updates to your standard patch schedule.

Adobe (really just Reader)

Just like last month, Adobe has not released any updates or patches for Adobe Reader product lines. This is good news and hopefully part of a larger trend. Hopefully Adobe Reader updates will follow the same patch as Microsoft’s browser patches (an ever-decreasing number of critical updates) and then, as with the Microsoft Chromium browser, we’ll only see a few security issues deemed important by both the community and Microsoft. Adobe has released some fixes for its photoshop, Side effects and Illustrator some products. However, these updates are product-focused and should not affect your overall desktop/server patch deployment schedules.

Copyright © 2022 IDG Communications, Inc.

Comments are closed.