Authored by: Chris Goettl, Vice President, Product Management for Security, Ivanti
May Patch Tuesday is upon us and there is a lot more than the monthly updates to be aware of. Windows 10 and Server editions have three end-of-life events this month, Internet Explorer 11 desktop application is only a month away from its end-of-life, Exchange Server 2019 shifts to two cumulative updates per year and the CVE count in the CISA Known Exploited Vulnerabilities Catalogue (that agencies should look to plug in their environments) has increased to 659 known exploited CVEs. While this month’s Patch Tuesday update lineup is pretty standard fare with only one known exploited and a couple publicly disclosed vulnerabilities, the additional activities may keep you busy.
Microsoft Patch Tuesday Update
Microsoft has released 18 updates resolving 73 new unique vulnerabilities and 3 re-issued vulnerabilities for May Patch Tuesday. Only 6 CVEs are rated as Critical and there is one CVE that is known to be exploited and has been publicly disclosed and one additional public disclosure this month. Updates this month affect the Windows Operating System, O365 applications, Exchange Server, .Net, Visual Studio, RDP, Hyper-V and more.
Microsoft resolved a Spoofing vulnerability in Windows LSA (CVE-2022-26925) that has been detected in exploits in the wild and has been publicly disclosed. The vulnerability by itself is only rated as Important by Microsoft, has a CVSS v3.1 score of 8.1 and the exploit code maturity is listed as unproven, but dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks and while code samples available publicly may be unproven, there are working exploits being used. Read further down in the FAQ on the CVE page and you will find more details that when combined with NTLM Relay Attacks on Active Directory Certificate Services (see ADV21003 and KB5005413 for details), the combined CVSS score increases to 9.8. Microsoft is urging customers to patch domain controllers sooner to reduce the increased risk in this vulnerability chain. The vulnerability affects all Windows OS versions.
Microsoft resolved a Denial of Service vulnerability in Hyper-V (CVE-2022-22713) that has been publicly disclosed. The vulnerability is rated as Important and has a CVSS v3.1 score of 5.6. The CVE has been publicly disclosed, meaning information has been made publicly available giving threat actors additional time and intel to be able to take advantage of the vulnerability. The Exploit Code Maturity is Proof-of-concept, meaning there are working code examples available giving threat actors much of what they will need to try and weaponise an exploit for real world use.
Caution Areas this Month
There are often recurring hot spots that need a little more attention during your test cycles. This month there is another round of Print Spooler vulnerabilities resolved. The original PrintNightmare update changed the way printer interactions occur on Windows systems. Since that update, there have been a heightened number of operational impacts to printer related functionality that have caused many companies some pain. February Patch Tuesday saw 5 Print Spooler related CVEs resolved and resulted in a resurgence of printer related issues. This month there are 4 additional Print Spooler vulnerabilities resolved. It is recommended to spend a little extra time testing printer functionality with your pilot groups this month. If you have any specific applications that were impacted recently by print spooler changes, you should ensure you have them represented in your pilot groups to prevent wider outages for critical applications.
EoL, EoS and Other Update and Vulnerability Related News:
The shift to the Windows 10 cumulative update model has become common place, but it is easy to get distracted and lose track of branches that are reaching the end of support. This month is the last security update for three branches. Make sure you have upgraded any remaining systems on these branches to a supported branch before June Patch Tuesday. For more details, see the Microsoft Windows Lifecycle page:
Windows 10 Enterprise and Education branch 1909
Windows 10 Home and Pro branch 20H2
Windows Datacenter and Standard Server 20H2
Microsoft retired Internet Explorer 11 desktop application back in May 2021. Full details can be found in the Internet Explorer 11 desktop app retirement FAQ. The end-of-support date is June 15 2022, right after June Patch Tuesday. The FAQ answers many questions on what to expect like when the IE11 application will be disabled, what the impact is for different versions of windows including LTSC, details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11 and more.
For organisations running on-prem Exchange Server, there are some changes that you will want to be aware of. On April 20, 2022 Microsoft released 2022 H1 Cumulative Updates for Exchange Server. With this release, they have also announced some servicing model changes. Microsoft will be shifting Exchange Server’s CU release cadence to two CUs per year. They have also announced that the next CU release (H2 2022) will be for Exchange Server 2019 only. Mainstream support for Exchange Server 2013 and 2016 has ended and these versions are now in extended support. For additional details, see the 2022 H1 CU for Exchange Server post.
The CISA Known Exploited Vulnerabilities Catalogue is now up to 659 CVEs being tracked. Most of these CVEs are over a year old. In November 2021, the Cybersecurity & Infrastructure Security Agency launched a project called the Known Exploited Vulnerabilities Catalogue. This initiative is meant to guide US agencies to better prioritise remediation and reduce exposure to known exploited vulnerabilities across their environments. The vulnerability management space in general has needed changes for some time. Most organisations are still basing their prioritisation off vendor severity and CVSS severity, but the criteria used to determine these severities often mislead organisations to incorrectly prioritise their response. Risk-based Vulnerability Management is an urgent need in most organisations. If you are unfamiliar with the topic, here is a link to a recorded event I presented in January 2022 on evolving to a risk-based vulnerability remediation strategy.