Microsoft delivers a solid, low-impact Patch Tuesday

March brings us a solid set of updates from Microsoft for Windows, Microsoft Office, Exchange, and Edge (Chromium), but no critical issues requiring a “Patch Now” release schedule (though Microsoft Exchange will require some technical effort this month). We have published some testing guidelines, with a focus on printing, remote desktop over VPN connections, and server-based networking changes. We also recommend testing your Windows installer packages with a specific focus on roll-back and uninstall functionality.

You can find more information about the risk of deploying these Patch Tuesday updates with this useful infographic. And, if you are looking for more information on .NET updates, there is a great post from Microsoft that highlights this month's changes.

Key testing scenarios

There was at least one high-risk reported change to the Windows platform for March. We have included the following rough testing guidelines based on our analysis of the changed files and contents of this month’s Windows and Office updates:

• (High Risk): Test your networked printers over the Remote Desktop Protocol (RDP). Microsoft has not published any functional changes for this month's update as modifications are due to security concerns.
• V4 Printer Driver, print using remote, and network based redirected printer(s).
• Test your backup and restore processes when using Encrypted Files Systems (EFS).
• Validate that your VPNs authenticate correctly over the Point-to-Point tunnelling protocol (PPTP).
• Test your Windows Error reporting processes with Create/Read/Update/Delete (CRUD) for all log files.
• Locate application references to NtAlpcCreatePort on your Windows servers and validate your application results.

If you have time, it may be worth testing UNC paths to DOS boxes (due to several changes to the networking and authentication stack). There's also been an update to the FastFAT system driver and how End User Defined Characters (EUDC) are handled. Microsoft has now included deployment and reboot requirements for this March 2022 update in a single page.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this cycle. There is more than usual this time, so I've referenced a few key issues that relate to the latest builds from Microsoft, including:

• After installing this update, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication. You might receive the prompt, “Your credentials did not work.” Like last month, Microsoft has released a number of GPO files that resolve this issue, including: Windows Server 2022 and Windows 10.
• After installing updates released Jan. 11 or later, applications that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information using the System.DirectoryServers API may fail or generate an error message.

There was an outstanding issue from January's update cycle where the executable DWM.EXE crashes after installing KB5010386. This issue has now been resolved. If you are looking for more data on these types of reported issues, one great resource from Microsoft is the Health Center — specifically, you can find out about Windows 10 and Windows 11 known issues and their current status.

Major revisions

Though there is a much smaller list of patches for this patch cycle, Microsoft released several revisions to previous patches, including:

• CVE-2021-3711: This is a Visual Studio update from November 2021. A new version has been updated to include support for the latest versions of Visual Studio 2022. No additional actions are required.
• CVE-2021-36927: This updated patch addresses a TV Tuner codec issue in 2021. Microsoft has helpfully published an updated documentation set for this, noting that the fix is now official and fully resolves the reported issue. No further actions required.

Mitigations and workarounds

This month, Microsoft has not published any mitigations or workarounds for the Windows, Microsoft Office, browser or development platform updates and patches. There is an ongoing list of mitigations and updates related to known issues for Microsoft Exchange (they're included in our Exchange-related section).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

Following a trend set by Microsoft over the past few months, only the Chromium Edge browser has been updated. With no critical updates, and 21 reported vulnerabilities rated as important by Microsoft, this is another easy update cycle. Other than working through potential issues with the Brotli compression engine, you should be able to deploy the browser updates on your normal release schedule.

Windows

Following the trend of fewer (in number and in nature) updates this month, Microsoft released just two critical updates (CVE-2022-22006 and CVE-2022-24501). Neither update is likely to affect core platforms as each patches a singular video codec and a Microsoft Store component. The remaining 40 patches are all rated as important by Microsoft and update the following core Windows components:

• Remote Desktop client (RDP);
• Windows Error log (this has been updated every month this year);
• Networking (SMB and PTPTP);
• Windows Update and Windows Installer.

You may want to add a Windows Installer test to your testing regime this month. Add these Windows updates to your standard release schedule.

Microsoft Office

If you were ever looking for a “low-risk” patch profile for Microsoft Office, this month's updates are a very good candidate. Microsoft has released six patches to Office, all of which are rated as important. Most importantly, they either affect Skype (which is not so important) or the “Click to Run” (CTR) installation of Office. The CTR version is the virtualized, self-contained version of the Office install that is streamed down to the target system. By design, these installations have little to no effect on the operating system and given the nature of the changes made this month, there is very little deployment risk. Add these Office updates to your standard deployment schedule.

Microsoft Exchange Server

Finally, a critical vulnerability from Microsoft. No…, wait! Darn, it's for Exchange. Microsoft Exchange is in the bad books this month with one of the few critical-rated vulnerabilities (CVE-2022-23277). Of the two Exchange-related patches for March, the other (CVE-2022-24463) is rated as important and could lead to a potential credential spoofing scenario. The critical issue is rated as highly likely to be exploited, but does require that the attacker is authenticated. This is not a “worm-able” vulnerability, so we recommend you add the Microsoft Exchange updates to your standard server deployment. This update will require a reboot to your servers. There have been several published issues with recent Microsoft Exchange updates, and so we have included a list of known issues when updating your Exchange Servers, including:

1. When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
2. Exchange services might remain in a disabled state after you install this security update. To resolve this issue, start the update process as an Administrator.
3. When you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in, even though you keep selecting the option to trust it.
4. When you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails and generates a “(400) Bad Request” error message.

Microsoft has published a workaround for the “400 Bad Request” error. 

Microsoft development platforms

Microsoft released just four updates to its development platforms for March, all rated important. Two patches are for the .NET platform (CVE-2022-24512 and CVE-2022-24464), both of which require user interaction to deliver their payload, at worst resulting in an elevation-of-privilege attack. The Microsoft patch that may give you a headache was raised by Google in 2020 (hence it's CVE identifier of CVE-2020-8927). This Patch Tuesday update to Brotli may affect how your web pages are compressed (notice I did not say “zipped”). Before you deploy this update, take a quick look at your internal web pages and browser-based applications using Brotli for adverse effects on decompressing CSS and JavaScript (hint, hint). Otherwise, add these updates to your standard patch schedule.

Adobe (really just Reader)

Just like last month, Adobe has not released any updates or patches to the Adobe Reader product lines. This is good news, and hopefully part of a larger trend. I'm hoping that Adobe Reader updates follow the same patch as Microsoft's browser patches (ever decreasing numbers of critical updates), and then, as with the Microsoft Chromium browser, we see only a few security issues rated as important by both the community and Microsoft. Adobe has released a few patches to its Photoshop, After Effects and Illustrator products. However, these are product-focused updates and should not affect your general desktop/server patch roll-out schedules.