Microsoft patches Windows Zero-Day for May Patch Tuesday

Administrators who already have a zero-day operating system for Windows and a public disclosure to deal with will have to tread carefully when applying security updates on Tuesday in May.

Microsoft has introduced several focused fixes at multiple hotspots which will require administrators to thoroughly test systems to avoid any headache from defective patches. Microsoft released 73 new CVEs unique to the May Patch Tuesday with six critical ratings. The company reissued three CVE to cover additional products and distributed one consultant to bring the total number of violent extremism to 77.

Windows Zero-day and public disclosure top the list for May Patch Tuesday

Zero Today is a deceptive Windows Local Security Authority (LSA) vulnerability (CVE-2022-26925) rated as critical to affected Windows client and server systems. LSA handles validation of user logins and implements security policies.

In addition to being actively exploited in the wild before the security update was available, this bug was publicly disclosed. The CVSS score was 8.1, but Microsoft said the CVSS score could increase to 9.8 if an attacker tied this vulnerability to an NTLM relay attack, usually referred to as a man-in-the-middle attack, on Active Directory servers. Certification services.

Chris Goettel

“The exploit is complex to implement. The attacker must be in the environment and needs to intervene in this chain of communications,” said Chris Goettel, Vice President of Product Management at Ivanti, an IT asset and endpoint management company. “But if they do, that’s a very dangerous ability to spoof security within the LSA chain of communications.”

Administrators should refer to the KB5005413 article published by Microsoft in 2021 to reduce the PetitPotam NTLM relay attack and implement some of its mitigations, such as Server Block Message (SMB) signing and enabling Extended Protection for Authentication on servers running Active Directory Certificate Services.

“Microsoft’s guidance on the specific update is to prioritize domain controllers to get the OS update quickly, because that’s where the focus on this particular exploit in the wild has occurred,” Goettel said.

Another publicly disclosed vulnerability is CVE-2022-22713, a Windows Hyper-V denial of service bug that has been categorized as significant affecting several versions of Windows 10 (20H2, 21H1, and 21H2) and Windows Server version 20H2 installations. Server Core. Despite the relatively low CVSS score of 5.6, CVE should be considered risky due to the presence of proof-of-concept code.

“Due to the fact that it has been publicly disclosed and there are code samples available, a lot of work has been done figuring out how to attack this vulnerability. Now all they need to do is weaponize it,” Goettel said.

Other notable security updates for May Patch Tuesday include:

  • A fix for an Exchange Server vulnerability, a privilege elevation bug (CVE-2022-21978) has been classified as important for supported Exchange products. The CVSS score is 8.1, and Microsoft provides extensive feedback on the steps administrators need to take to fully harden systems against this vulnerability.
  • Patches for multiple vulnerabilities in three areas of the Windows operating system. There are four print spooler vulnerabilities (CVE-2022-29104, CVE-2022-29114, CVE-2022-29132 and CVE-2022-29140), 10 Windows LDAP remote code execution errors (CVE-2022-22012) , CVE-2022) -22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139 and CVE-2022-291341) and eight common block defects (CVE-2022-29134, CVE-2022-29135, CVE-2022-29138, CVE-2022-29120, CVE-2022-29122, CVE-2022-29123, CVE- 2022-29150 and CVE-2022-29151). Goettl recommended that officials spend additional time testing functionality related to patched areas due to the large number of fixes.

Multiple Microsoft products reach the end of the road

Many Windows products received their latest update in the May patch Tuesday. Windows 10 Enterprise, Education 1909, Windows 10 Home and Pro 20H2, Windows Datacenter, and Standard Server 20H2 have all reached their separation date. Microsoft will not release further security or quality updates to devices running these branches.

“If anyone has any systems left running with those systems, now it’s a responsibility. Now is the time to go and clean up those systems and move them to new branches,” Goettel said.

Microsoft plans to shut down Internet Explorer 11 on June 15 for Windows 10 and recommends customers use Internet Explorer mode in Microsoft Edge if they need legacy support. The prompts in Windows will push users to Microsoft Edge, and Microsoft will eventually disable the browser via Windows Update.

“People need to deploy Edge, turn on compatibility mode, and make sure it works well with their apps,” Goettel said.

Microsoft is changing the cumulative update model for Exchange Server

Away from Tuesday’s news, Microsoft recently improved its service model for two major software products.

Along with the news that Windows Server 2022 was generally available in September, the company said it would discontinue the semi-annual channel – which received two feature releases per year – for the server operating system, leaving only the long-term service channel, which releases every two years or more. Three years.

On April 20, Microsoft said it would reduce the cumulative update schedule for Exchange Server. The company has been releasing quarterly issues, which usually arrive in March, June, September and December. The company said that customers found releases coming in so frequently that it was difficult to keep up with developments.

“We’re moving to a tempo of releasing two (two cumulative updates) per year – released in the first and second half of each calendar year, with general target release dates in March and September. But our release dates are quality dependent, so we can release updates in April or October, Or any other month, depending on what we offer,” the Exchange team wrote in a blog post.

Since Exchange 2013 and Exchange 2016 are out of mainstream support, only Exchange 2019 will receive the next cumulative update in the second half of this year. The company said previous Exchange products will continue to receive security updates “as needed” during extended support.

Microsoft’s lack of connections regarding the on-premises messaging platform continues to annoy Exchange administrators. Until Microsoft released the cumulative update blog, officials were waiting for the next cumulative update to arrive, which was due to arrive in December.

Also, the next version of Exchange Server remains a mystery. In September 2020, Microsoft said that Exchange vNext would arrive in the second half of 2021, but the product remains in limbo along with Skype for Business Server and SharePoint Server.

Will we see an on-premises Exchange server or will Microsoft pull a fast server and implement a hosted Exchange Server, like Azure Exchange? Goetel said.

Leave a Comment

Your email address will not be published.