Microsoft’s December Patch Tuesday update offers 59 fixes, including two zero-day fixes (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network-focused update (TCP/IP and RDP) that will require significant testing with a focus on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (local and remote).
Microsoft also released an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. (The Readiness team has provided a helpful infographic that outlines the risks associated with each of these updates.)
And Windows Hot-Patching for Azure Virtual Machines (VMs) is now available.
Known issues
Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that update cycle.
- ODBC: After installing the December Update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases may fail to connect. You may receive the following error messages: “EMS has encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
- RDP and Remote Access: After installing this update or later updates on Windows desktop systems, you might not be able to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or performing a transition between Wi-Fi networks or access points.
- Hyper-V: After installing this update on Hyper-V hosts managed by System Center Virtual Machine Manager (VMM) configured for SDN, you may receive an error on workflows involving the creation of a new network adapter (also called a network interface card or NIC) attached to a network of VMs or a new Virtual Machine (VM).
- Active Directory: Due to additional security requirements to address security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain network join requests. These additional checks can generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Account reuse has been blocked by security policy.”
In preparation for this month’s update for Windows 10 and 11 systems, we recommend that you run an assessment on all application packages and check for a dependency on the SQLSRV32.DLL system file. If you need to inspect a specific system, open a command prompt and run the command “tasklist /m sqlsrv32.dll”. This should list all the processes that depend on this file.
Major revisions
Microsoft has only released one revision this month, with no further revisions to previous patches or updates released.
- CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability: To address a known issue where Kerberos authentication may fail for user, computer, service, and GMSA accounts when managed by Windows domain controllers. This patch revision has been released as a rare out-of-band update and will require immediate attention, if not already addressed.
Mitigation and Workarounds
Although several documentation updates and FAQs have been added to this release, Microsoft has released a single mitigation:
- CVE-2022-37976: Active Directory Certificate Elevation of Privilege: A system is vulnerable to this security vulnerability only if the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on the even server in the network. Microsoft has released a set of registry keys (LegacyAuthenticationLevel) that can help reduce the surface of this problem. You can learn more about protecting your systems here.
testing guide
Every month, the Readiness team analyzes the latest updates and provides testing guidance. This advice is based on the assessment of a broad portfolio of applications and a detailed analysis of Microsoft patches and their potential impact on Windows platforms and application installations.
Given the large number of changes included in this cycle, I divided the test cases into high-risk and standard-risk groups.
High risk: This month, Microsoft did not register any high-risk feature changes. This means that it has not made major changes to the core APIs or functionality of any of the core components or applications included in the Windows desktop and server ecosystems.
More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components:
- Bluetooth: Microsoft has updated two sets of key API/header files for Bluetooth drivers including: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL and DeviceIoControl function. The key testing task here is to turn Bluetooth on and then off, ensuring that your data connections are still working as expected.
- GIT: The Git Virtual File System (VfSForGit) has been updated with changes to file and registry mappings. You can read more about this key (internal) Windows developer tool here.
In addition to these changes and testing requirements, I’ve included some of the toughest test scenarios for this update:
- Windows Kernel: This month sees a large update to the Windows Kernel (Win32kfull.sys) that will affect the core desktop UI experience. Major features fixed include the Start menu, Settings applet, and File Explorer. Given the huge UI test surface, a larger test group may be needed for your initial deployment. If you still see your desktop or taskbar, consider that a positive sign.
Following last month’s Kerberos authentication update, several authentication-related issues were reported, particularly on remote desktop connections. Microsoft has detailed the following scenarios and related issues addressed this month:
- User login to the domain may fail. This can also affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSAs) used for services such as Internet Information Services (IIS Web Server) may not authenticate.
- Remote Desktop connections using domain users may fail.
- You may not be able to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication may fail.
All of these scenarios require significant testing before a general rollout of the December Update.
Unless otherwise stated, we must now assume that each Patch Tuesday update will require testing of basic printing functions, including:
- printing from directly connected printers.
- add a printer, then remove a printer (this is new for December).
- large print jobs from servers (especially if they are also domain controllers).
- remote printing (using RDP and VPN).
- test physical and virtual scenarios with 32-bit applications on 64-bit machines.
Windows Lifecycle Update
This section includes important changes to servicing (and most security updates) Windows desktop and server platforms. As this is a year-end update, there are quite a few “End of Service” changes, including:
- Windows 10 (Enterprise, Home, Pro) 21H2 – December 12, 2022.
- Windows 8.1 – January 10, 2023.
- Windows 7 SP1 (ESU) – January 10, 2023.
- Windows Server 2008 SP2 (ESU) – January 10, 2023.
Each month, we break down the release cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft development platforms ( ASP.NET Core, .NET Core and Chakra Core)
- Adobe (retired???, maybe next year),
Browsers
Following a welcome trend of no critical updates for Microsoft’s browsers, this update offers only three (CVE-2022-44668, CVE-2022-44708, and CVE-2022-41115) all deemed important. These updates affect the Microsoft Chromium browser and should have marginal to low impact on your applications. Add these updates to your standard patch release schedule.
the Windows
Microsoft released fixes for the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), 24 of which are rated important and two moderate. . Unfortunately, this month we have these two zero days affecting Windows with reports of CVE-2022-44698 exploited in the wild and CVE-2022-44710 publicly leaked. We have developed specific testing recommendations, noting that there are reported issues with Kerberos, Hyper-V, and ODBC connections.
Add this update to your “Patch Now” release schedule.
Microsoft Office
Microsoft has patched two critical vulnerabilities in SharePoint Server (CVE-202244693 and CVE-2022-44690) which are relatively easy to exploit and do not require user interaction. The two remaining vulnerabilities affect Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are discrete, low-impact changes. Unless you host your own SharePoint servers (oh, why?), add these Microsoft updates to your standard release schedule.
Microsoft Exchange Server
Microsoft has not released any updates, fixes, or security mitigations for Microsoft Exchange Server. Phew!
Microsoft development platforms
Microsoft fixed two critical vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Although both security issues are rated critical, they require local administrator access and are considered both difficult and complex to exploit. Mark Russinovich’s Sysmon also needs an update with the CVE-2022-44704 elevation of privilege vulnerability and all supported versions of Visual Studio will be patched. Add these updates to your standard developer release schedule.
Adobe Reader (still around, but not this month)
Adobe has released three Category 3 updates (equivalent to Microsoft’s Important Notice) for Illustrator, Experience Manager, and Campaign (Classic). No Adobe Reader updates this month.
Copyright © 2022 IDG Communications, Inc.