This week’s Patch Tuesday was an unusual update from Microsoft and we have added Windows, the Microsoft development platform and Adobe Reader to our “Patch Now” program.
These updates are driven by the zero-day patch (CVE-2021-40444) to the main library of the Microsoft MSHTML browser. In addition to causing significant remote code execution issues, this update may also cause unexpected behavior in legacy applications that depend on or include this browser component. Be sure to evaluate your portfolio for key applications that have these dependencies and perform a full functionality test before deployment. (We have identified a few key mitigation strategies to manage ActiveX controls and to protect your system during your testing and deployment phases.)
You can also find more information about the risks of deploying these Patch Tuesday fixes.in this infographic.
Key test cases
No high-risk changes were reported on the Windows platform this month. However, there is one reported functional change and one additional functionality:
- As always, verify that printing works as expected with physical and virtual printers. Check that there are no problems with the printer drivers and verify that the printer driver software still uses 32-bit code for application management.
- Verify that Event Tracking for Windows is working as expected; the logs are displayed in Event Viewer.
- Confirm that connections using the Remote Desktop Gateway and Virtual Private Networks (VPNs) are working as expected.
- Test SCCRUN objects such as Scripting.FileSystemObject, textStream, Scripting.Dictionary. See this Microsoft document and Dictionary object | Microsoft Docs for additional information.
- Confirm that users with permissions can access files on SMB shares. Verify file access using Create / Copy / Delete / Read / Write / Rename / Close functions as expected.
Testing your legacy apps and printing will be a key task when managing the September update (and for the foreseeable future). It is important to look for printer driver software that always uses 32-bit code for application management to avoid “thunking”. This area of concern relates to how memory is managed between 32-bit and 64-bit applications. If you are looking for a scenario where everything breaks down, at unpredictable times, and affects the main systems, try to find an outdated printer driver with old printer management software.
In fact, the results are more likely to find you.
Although we often focus on printing and legacy applications, remote working has seen a huge increase during the pandemic. We offer the following VPN-specific testing recommendations this month:
- Verify that Windows updates install reliably over VPN and non-VPN connections and that updates install correctly.
- Check that your antivirus is working as expected on your VPN connection.
- Make sure you can acquire a DHCP address and network connectivity through wired and wireless network connections with and without 802.1x.
Each month, Microsoft includes a list of known issues with the operating system and platforms in the latest update cycle. I have referenced a few key issues related to the latest versions of Microsoft, including:
- This month, all Windows 10 updates include a hotfix that fixes an issue that causes PowerShell to create an infinite number of child directories. This problem occurs when you use the PowerShell Move-Item command to move a directory to one of its children. As a result, the volume fills up and the system stops responding.
At the time of writing (for the July update cycle) there were four major updates compared to previously released updates:
- CVE-2021-1678: Windows print spooler spoofing vulnerability.
- CVE-2021-36958: Windows print spooler remote code execution vulnerability.
- CVE-2021-40444: Microsoft MSHTML remote code execution vulnerability.
Mitigations and workarounds
This month, Microsoft released a workaround for the MSHTML update. The company (not for the first time) recommends disabling Active X. We recommend that you disable ActiveX in general and use Group Policy for your managed platforms. Here are some simple steps to make sure ActiveX is turned off:
- Select the zone (Internet zone, intranet zone, local machine zone, or trusted sites zone).
- Double click Download signed ActiveX controls and activate the policy. Then set the option in the policy to Deactivate.
- Double click Download unsigned ActiveX controls and activate the policy. Then set the option in the policy to Deactivate.
You can also specify registry keys and specific component IDs for individual applications (e.g. Microsoft Word) –find out more here. Microsoft also recommends that you place open documents in “Protected view“and use the Office version of Application custody. And if you’ve gone for a full Microsoft stack and deployed Defender, you can use reduction of the attack surface rules to reduce the threat of exposure to this serious security problem.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development Platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired? Not yet).
Microsoft released 26 updates for the Chromium-based Edge browser this month. In addition to these fixes, Project Chromium also released 11 security-related updates in September (Chrome Release Notes). While the browser wars are over and Microsoft is now using open source, the only consistent type of security issue is “Use After Free” memory (aka Hanging pointer) assignment errors. Those memory allocation classes Mistakes are still the most common, and this month’s update (read CVE-2021-30610) is a good example of the ongoing battle to stay ahead of the bad guys. The proposed changes to Edge will have minimal or no impact on enterprise systems this month. Add these updates to your standard desktop update schedule.
Microsoft has released 35 Windows platform updates, two of which are classified as critical (CVE-2021-36965 and CVE-2021-26435) for this cycle. While not the most significant update we’ve seen in some time, this release affects a number of key areas of the platform: networking, kernel drivers , Windows Installer, key graphics components (GDI) and some key diagnostic tools (Windows Error Reporting).
However, the real concern this month for test and deployment teams is what has been reissued: CVE-2021-40444. It was released earlier this month and has seen two updates since its initial release. The MSHTML issue is a real concern because it affects a basic browser component that is commonly used in a number of applications. It’s like Internet Explorer is part of your core business (yes, I know).
You really don’t want this component in your development portfolio and you’ll have to quickly find out which apps depend on it. We did a quick scan of our common applications that use the MSHTML library and found that between 5-10% of “legacy applications” (applications over five years old) depended directly on MSHTML. These applications will require extensive testing and are likely matters of concern for any business. Unfortunately, we need to add these Windows updates to our “Patch Now” program for this month.
Microsoft released 12 updates to its Office platform this month, all of which were deemed important. (Correct, no critical updates for Office, Exchange, or SharePoint this fix cycle.) Word, Excel, Visio, and shared Microsoft Office libraries (for example, MSO, and shared code common to all Microsoft Office components) are affected this month. None of the reported security issues include the “preview pane” or other highly vulnerable attack vectors.
Add these September Microsoft updates to your standard release schedule.
Microsoft Exchange Server
We are fortunate in September that we do not have to deploy urgent updates to Microsoft Exchange Server. That said, there are two updates to SharePoint Server (CVE-2021-38651, CVE-2021-38652) that will require your attention. Both require a server restart. So, even with a reduced level of urgency, we are restarting all of our Office servers this month.
No further action required for Exchange Server related updates.
Microsoft Development Platforms
Microsoft has released three updates to the Visual Studio platform (CVE-2021-36952, CVE-2021-26437, CVE-2021-26434) all considered important. Usually, we review these updates and advise adding them to a standard release schedule. But we think CVE-2021-36952 and CVE-2021-26434 require a quick response due to their potential for Remote Code Execution (RCE) and privilege escalation scenarios.
I like to say that the issues of the RCE are issues of today. Concerns about elevations of privilege (EOP) are the issues this afternoon. Add this Update for Microsoft Developers to your “Patch Now” calendar. And, yes, we haven’t made that recommendation for at least two years.
Adobe (really just Reader)
This section was previously configured to handle the many (and sometimes painful) updates to Adobe Flash over the years. With the recent (and hopefully final) update that includes killbits for Flash and Shockwave, we think we should remove this section. However, Adobe Reader is an essential component of most corporate desktops and will likely continue to be the default PDF reader for a few years to come.
So, rather than focusing on all Adobe products, we will address security issues with PDF (especially printing) and Adobe Reader. And as luck would have it, we have an abundance of Adobe updates for September (I’m keeping “cornucopia” for October), with a special focus on Acrobat.
Adobe released 26 updates with seven reviews for memory issues that could lead to remote code execution (CER) scenarios. These reported vulnerabilities pose serious problems, although all require user interaction and no reports of public disclosure or exploitation. Add these Adobe Reader updates to your “Patch Now” update release cycle.
And yes, this is the first time that we have made this recommendation.
Copyright © 2021 IDG Communications, Inc.