June 18 update below. This article was originally published on June 15
Microsoft has confirmed that the June 14 Patch Tuesday security update won’t be the last we see. Why some of the media covering the last second Tuesday of the security patch distribution month jumped on the end of an era, the last Patch Tuesday bandwagon, is frankly beyond me. Yes, I understand the news reports were referring to the Windows Autopatch announcement earlier this year. This April reveal explained how Windows Autopatch would turn Patch Tuesday into just another Tuesday for (some) admins by largely automating the security patching process. I guess that’s where the confusion comes from, but, even so, it’s a baffling case of grabbing the wrong end of a nice straight stick.
You see, what Microsoft certainly hasn’t announced is a security update automation and management service for every Windows admin or user. In fact, I thought it was clear that Windows Autopatch, which was due to roll out in July, was only for Windows Enterprise users.
Specifically, customers with a Windows 10/11 Enterprise E3 (and later) license using the Azure commercial cloud, excluding government cloud customers. The Microsoft Windows Autofix FAQ, updated June 8, also states that Education (A3) and Frontline Worker (F3) licenses are not supported. This not only excludes some businesses and most small businesses, but also the huge consumer market.
The real clincher, for anyone who wants to dig deeper into this question, is the existence of a section of the official FAQ titled, “Does Windows Autopatch affect Patch Tuesday?”
Here, Microsoft states: “Monthly security and quality updates for supported versions of Windows and Windows Server operating systems will continue to be delivered on the second Tuesday of the month (commonly known as Patch Tuesday or Update Tuesday) as they were for Date.” I don’t know how clearer the company could have been, to be honest.
All of this means that there is nothing to see here. With the exception of further Windows security patch distributions on the second Tuesday of the month for the foreseeable future.
In other news, there’s a new addition to the list of issues Microsoft has confirmed following the June 14 Windows Updates. This one, however, only affects Windows 10 (20H2, 21H1, 21H2) and Windows 11 (21H2) users, with Windows Server users unaffected. The issue, a failed login using Azure Active Directory, only affects the above users with Windows devices that use Arm processors. “Some scenarios that could be affected,” Microsoft confirms, “are VPN connections, Microsoft Teams, Microsoft OneDrive and Microsoft Outlook.” While an update to address this issue is being investigated, it is possible to mitigate the issue by using the web-based versions of the affected apps.
It has to be said that it hasn’t been the most problem-free of Patch Tuesdays. You can read other issues, confirmed by Microsoft, below.
June 17 update below. This article was originally published on June 15
Microsoft has confirmed three issues some users are experiencing after installing the June 14 Windows Update. While a “sooner rather than later” approach to patching security vulnerabilities is still prudent advice, it’s the regularity of post-patch issues that makes this less straightforward in a business environment, as already discussed later in this article. . Two of the three issues that were identified so quickly, and confirmed by Microsoft, are likely to primarily affect business users. One, involving Internet connectivity from Wi-Fi hotspots, could also be problematic for consumers.
The first issue concerns the potential failure of operations involving the creation or deletion of copies on an application server that is running Volume Shadow Storage (VSS)-compliant server applications storing data on remote file shares SMB 3.0 or version later. Microsoft confirms that “after installing Windows Update June 14, 2022 or later, backup applications may receive the E_ACCESSDENIED error when performing operations related to creating shadow copies. “This appears to be related to security enforcement in the Remote VSS Patch for File Sharing Agent Service (RVSS) for CVE-2022-30154. The fix for this post-patch issue is to install again on application server and server file and affects Windows Server 2012, 2016, 2019, 2022 and Windows 10 20H2.
The other two issues are still under investigation by Microsoft and an update will be provided in an “upcoming release”. One involves Windows devices using the Wi-Fi hotspot feature with the host losing internet connectivity. Other operations on Cluster Shared Volume files or folders fail with a STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5) error.
In addition to fixing the previously attacked Follina zero-day exploit, Microsoft has just confirmed three critical vulnerabilities affecting millions of Windows and Windows Server users.
In the collection of 55 new Microsoft security updates, yes it’s Patch Tuesday again, there are three that are considered critical. The good news is that none of these vulnerabilities, in fact none of the 55 listed vulnerabilities, are currently being exploited in the wild. I can say that despite the distribution of the CVE-2022-30190 Follina patch because, strangely, Microsoft did not list it among the vulnerabilities fixed.
The three critical security flaws are:
CVE-2022-30136 affects Windows Server (2012, 2016, 2019) users and is a Remote Code Execution (RCE) threat that could be exploited on the network using a malicious call to a network file system (NFS) service. According to Mike Walters, cybersecurity manager and co-founder of Action1, it is believed that “an exploit for this vulnerability has been developed, although this information has not been confirmed”. It also warns that “this June patch should only be applied after the May patch has been installed,” referring to last month’s CVE-2022-26937 patch.
CVE-2022-30139 affects Windows (10 and 11) and Windows Server (2016, 2019, 20H2, 2022) users and is another RCE, but this time impacts Windows Lightweight Directory Access Protocol (LDAP) where default policy values have been changed. According to Vulnerability Database, although all the technical details are still unknown, “a simple authentication is required for exploitation”. While confirming that no public exploit is available, the site suggests that an exploit could be worth between $5,000 and $25,000.
CVE-2022-30163 affects Windows (7, 8.1, 10, and 11) and Windows Server (2008, 2012, 2016, 2019, 20H2, and 2022) users and is another arbitrary remote code execution vulnerability. This time it targets Windows Hyper-V host by using malicious application on Hyper-V guest. According to the Trend Micro Zero Day Initiative, “Microsoft notes that attack complexity is high because an attacker is expected to win a race condition. However, we have seen many demonstrated reliable exploits that involve race conditions, so take action appropriate to test and deploy this update.”
Do you need to update your Windows or Windows Server platform immediately?
Obviously, as always, the point to remember is to update as soon as possible in order to consolidate these security flaws. Well, for consumers at least. The situation becomes more complex for organizations. “Companies are generally slow to patch, but I bet vulnerabilities are still the most common reason organizations are compromised,” says Mark Lamb, CEO of HighGround.io. “Security standards, including the UK’s Cyber Essentials presentation standard, encourage the deployment of patches within 14 days of release for operating systems and applications, but it is not uncommon for organizations take months to deploy their patches.” Lamb recommends, where possible, that organizations be “diligent in approving and deploying patches on a weekly basis because,” he says, “you don’t know what the next vulnerability will be and if it will could have been mitigated with consistent patching and diligent patching.”