Microsoft offers a robust, low-impact patch Tuesday

March brings us a solid set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues that require a “Patch Now” release schedule (although Microsoft Exchange will require some technical work this month). We’ve published some testing guidelines, with a focus on printing, remote desktop over VPN connections, and server-based network changes. We also recommend testing your Windows installation packages with a specific focus on rollback and uninstall functionality.

You can learn more about the risk of deploying these Patch Tuesday updates with this helpful infographic. And, if you’re looking for more information on .NET updates, there’s a great post from Microsoft highlighting this month’s changes.

Key test scenarios

At least one high-risk change to the Windows platform has been reported for March. We’ve included the following rough testing guidelines based on our analysis of the files and changed content of this month’s Windows and Office updates:

  • (High risk): test your network printers via Remote Desktop Protocol (RDP). Microsoft hasn’t released any functional changes for this month’s update as the changes are due to security concerns.
  • V4 printer driver, print using remote and network-based redirected printers.
  • Test backup and restore processes when using encrypted file systems (EFS extension).
  • Verify that your VPNs correctly authenticate using the Point-to-Point tunneling protocol (PPTP extension).
  • Test your Windows error reporting processes with Create/Read/Update/Delete (CRUD) for all log files.
  • Locate application references a NtAlpcCreatePort on your Windows servers and validate the results of your application.

If you have the time, it might be worth testing the UNC paths to DOS boxes (due to several network and auth stack changes). There was also an update to the FastFAT system drivers and such as end-user-defined fonts (EUDC) are managed. Microsoft has now included deployment and restart requirements for this March 2022 update on one page.

Known Issues

Each month, Microsoft includes a list of known issues related to the operating system and platforms included in this cycle. There’s more than usual this time around, so I’ve referenced a few key issues with Microsoft’s latest builds, including:

  • After installing this update, when connecting to devices in an untrusted domain via Remote Desktop, connections may fail to authenticate when using smart card authentication. You may get the message “Your credentials didn’t work”. Like last month, Microsoft has released a number of GPO files that address this issue, including: Windows Server 2022 and Windows 10.
  • After installing updates released on January 11 or later, applications that use the Microsoft .NET Framework to acquire or set cross-forest Active Directory trust information using the System.DirectoryServer The API may fail or generate an error message.

There is a pending issue from the January update cycle where the DWM.EXE executable crashes after installation KB5010386. This problem has been solved. If you’re looking for more data on these types of reported issues, a great resource from Microsoft is the Health center in particular, you can find out Windows 10 and Windows 11 known issues and their current status.

Major revisions

While there is a much smaller patch list for this patch cycle, Microsoft has released several revisions to previous patches, including:

  • CVE-2021-3711: This is a Visual Studio update from November 2021. A new version has been updated to include support for newer versions of Visual Studio 2022. No further action is required.
  • CVE-2021-36927: This updated patch addresses a TV tuner codec issue in 2021. Microsoft has helpfully released an updated set of documentation for this, noting that the fix is ​​now official and fully addresses the reported issue. No further action is required.

Mitigations and workarounds

This month, Microsoft has not released any mitigations or workarounds for Windows, Microsoft Office, browser, or development platform updates and patches. There is an ongoing list of mitigations and updates for known issues for Microsoft Exchange (they are included in our Exchange section).

Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development Platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired???, maybe next year).

Browsers

Following a trend set by Microsoft over the past few months, only the Chromium Edge browser has been updated. With no critical updates and 21 reported vulnerabilities classified as important by Microsoft, this is another simple update cycle. In addition to fixing potential issues with the Brotli compression engine, you should be able to roll out browser updates according to your regular release schedule.

windows

Following the trend of fewer updates (in number and in nature) this month, Microsoft has released only two critical updates (CVE-2022-22006 and CVE-2022-24501). Neither update is likely to affect major platforms since each patch is a single video codec and component of the Microsoft Store. The remaining 40 patches are all classified as important by Microsoft and update the following core components of Windows:

  • remote desktop client (RDP);
  • Windows error log (has been updated every month this year);
  • Networks (SMB and PTPTP);
  • Windows Update and Windows Installer.

You might want to add a Windows Installer test to your testing regimen this month. Add these Windows Updates to your standard release schedule.

Microsoft Office

If you’ve been looking for a “low-risk” patch profile for Microsoft Office, this month’s updates are a great candidate. Microsoft has released six patches for Office, all rated as important. Above all, they affect Skype (which is not that important) or the “Click to run” Installation (CTR) of Office. The CTR version is the standalone, virtualized version of the Office installation that is pushed to the target system. By design, these installations have little or no effect on the operating system and due to the nature Of the changes we’ve made this month, your deployment risk is minimal.Add these Office updates to your standard deployment schedule.

Microsoft Exchange Server

Finally, a critical vulnerability from Microsoft. Do not wait! Damn, it’s for Exchange. Microsoft Exchange is in the bad books this month with one of the few vulnerabilities classified as critical (CVE-2022-23277). Of the two Exchange-related patches for March, the other (CVE-2022-24463) is considered important and could lead to a potential credential spoofing scenario. The critical issue is classified as highly likely to be exploited, but requires the attacker to be authenticated. This is not a “capable of worms“, then we recommend that you add Microsoft Exchange updates to your standard server deployment. This update will require a restart of your servers. There have been several issues posted with recent Microsoft Exchange updates, so we’ve included a list of known issues during updating Exchange servers, including:

  1. When you try to manually install this security update by double-clicking the update file (.MSP) to run it in normal mode (ie not as an administrator), some files are not updated correctly.
  2. Exchange services may remain disabled after installing this security update. To resolve this issue, start the update process as an administrator.
  3. When you block third-party cookies in a web browser, you may be continually prompted to trust a particular add-on, even if you continue to select the option to trust it.
  4. When you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails with a “(400) Bad Request” error message.

Microsoft has posted a workaround for the “400 bad request” error..

Microsoft development platforms

Microsoft has released just four updates to its development platforms for March, all of which are considered important. Two patches are for the .NET platform (CVE-2022-24512 and CVE-2022-24464), which require user interaction to deliver their payload, which in the worst case results in an elevation of privilege attack. The Microsoft patch that might be giving you a headache was rolled out by Google in 2020 (so it’s the CVE identifier of CVE-2020-8927). This Patch Tuesday updates to Brotli it can affect how your web pages are compressed (note I didn’t say “zipped”). Before deploying this update, take a quick look at your internal web pages and browser-based applications using Brotli for the adverse decompression effects of CSS and JavaScript (hint, hint). Otherwise, add these updates to your standard patch schedule.

Adobe (actually just Reader)

Just like last month, Adobe hasn’t released any updates or patches for its Adobe Reader product lines. This is good news and hopefully part of a larger trend. I hope Adobe Reader updates follow the same patch as Microsoft’s browser patches (lower and lower number of critical updates) and thus, as with the Microsoft Chromium browser, we only see a few security issues considered important by both the community and Microsoft . Adobe has released some patches to its Photoshop, After effects and Illustrator products. However, these are product-focused updates and should not impact your overall desktop/server patch deployment schedules.

Copyright © 2022 IDG Communications, Inc.