Patch Tuesday: Two zero-day flaws in Windows need immediate attention

Microsoft's December Patch Tuesday updated delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).

Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. (The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates.)

And Windows Hot-Patching for Azure Virtual Machines (VMs) is now available.

Known issues

Each month, Microsoft includes a list of known issues that relate to the OS and platforms included in this update cycle.

• ODBC: After installing the December update, applications that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You might receive the following error messages: “The EMS System encountered a problem. Message: [Microsoft] [ODBC SQL Server Driver] Unknown token received from SQL Server”.
• RDP and Remote Access: After you install this or later updates on Windows desktop systems, you might be unable to reconnect to (Microsoft) Direct Access after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.
• Hyper-V: After installing this update on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM).
• Active Directory: Due to additional security requirements in addressing the security vulnerabilities in CVE-2022-38042, new security checks are implemented on domain net join requests. These extra checks may generate the following error message: “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

In preparation for the month's update to Windows 10 and 11 systems, we recommend runningan assessment on all application packages and look for a dependency on the system file SQLSRV32.DLL. If you need to inspect a specific system, open a command prompt and run the command “tasklist /m sqlsrv32.dll.” This should list any processes that depend on this file.

Major revisions

Microsoft published just one revision this month, with no other revisions to previous patches or updates released.

• CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability: To address a known issue where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers. This patch revision has been released as a rare out-of-band update and will require immediate attention, if not already addressed.

Mitigations and workarounds

While there were several documentation updates and FAQs added to this release, Microsoft published a single mitigation:

• CVE-2022-37976: Active Directory Certificate Elevation of Privilege: A system is vulnerable to this security vulnerability only if both the Active Directory Certificate Services role and the Active Directory Domain Services role are installed on the same server in the network. Microsoft has published a set of registry keys (LegacyAuthenticationLevel) that can help reduce the surface area of this issue. You can find out more about protecting your systems here.

Testing guidance 

Each month, the team at Readiness analyzes the latest updates and provides testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of changes included this cycle, I have broken down the testing scenarios into high-risk and standard-risk groups.

High Risk: This month, Microsoft has not recorded any high-risk functionality changes. This means it has not made major changes to core APIs or functionality to any of the core components or applications included in the Windows desktop and server ecosystems.

More generally, given the broad nature of this update (Office and Windows) we suggest testing the following Windows features and components:

• Bluetooth: Microsoft has updated two sets of key API/Header files for Bluetooth drivers including: IOCTL_BTH_SDP_REMOVE_RECORD IOCTL and DeviceIoControl function. The key testing task here is to enable and then disable Bluetooth, ensuring that your data connections are still working as expected.
• GIT: The Git Virtual File System (VfSForGit) has been updated with changes to the file and registry mappings. You can read more about this key (internal) Windows development tool here.

In addition to these changes and testing requirements, I have included some of the more difficult testing scenarios for this update:

• Windows Kernel: This month sees a broad update to the Windows kernel (Win32kfull.sys) that will affect the primary desktop UI experience. Key features patched include the Start menu, the settings applet, and File Explorer. Given the huge UI testing surface, a larger testing group may be required for your initial roll-out. If you still see your desktop or taskbar, take that as a positive sign.

Following last month's update to Kerberos authentication, there were several reported issues related to authenticating, especially across remote-desktop connections. Microsoft detailed the following scenarios and related issues addressed this month: 

• Domain user sign-in may fail. This also might affect Active Directory Federation Services (AD FS) authentication.
• Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
• Remote Desktop connections using domain users might fail to connect.
• You might be unable to access shared folders on workstations and file shares on servers.
• Printing that requires domain user authentication might fail.

All these scenarios require significant testing before a general deployment of the December update.

Unless otherwise specified, we should now assume that each Patch Tuesday update will require testing of core printing functions including:

• printing from directly-connected printers.
• add a printer, and then remove a printer (this is new for December).
• large print jobs from servers (especially if they are also domain controllers).
• remote printing (using RDP and VPNs).
• test physical and virtual scenarios with 32-bit apps on 64-bit machines.

Windows lifecycle update

This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms. As this is an end-of-year update, there are quite a few “End of Service” changes, including: 

• Windows 10 (Enterprise, Home, Pro) 21H2 – Dec. 12, 2022.
• Windows 8.1 – Jan. 10, 2023.
• Windows 7 SP1 (ESU) – Jan. 10, 2023.
• Windows Server 2008 SP2 (ESU) – Jan. 10, 2023.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core)
• Adobe (retired???, maybe next year),

Browsers

Following a welcome trend of no critical updates to Microsoft's browsers, this update delivers just three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated important. These updates affect the Microsoft Chromium browser and should have marginal to low impact on your applications. Add these updates to your standard patch release schedule.

Windows

Microsoft released patches to the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated important and two rated moderate. Unfortunately, this month we have those two zero-days affecting Windows with reports of CVE-2022-44698 exploited in the wild and CVE-2022-44710 publicly disclosed. We have crafted specific testing recommendations, noting that there are reported issues with Kerberos, Hyper-V and ODBC connections.

Add this update to your “Patch Now” release schedule.

Microsoft Office

Microsoft addressed two critical vulnerabilities in SharePoint Server (CVE-202244693 and CVE-2022-44690) that are relatively easy to exploit and do not require user interaction. The remaining two vulnerabilities affect Microsoft Visio (CVE-2022-44696 and CVE-2022-44695) and are low-profile, low impact changes. Unless you're hosting your own SharePoint servers (oh, why?), add these Microsoft updates to your standard release schedule.

Microsoft Exchange Server

Microsoft has not released any updates, patches or security mitigations for Microsoft Exchange Server. Phew!

Microsoft development platforms

Microsoft addressed two critical vulnerabilities in Microsoft .NET (CVE-2022-41089) and PowerShell (CVE-2022-41076) this month. Though both security issues are rated critical, they require local admin access and are considered both difficult and complex to exploit. Mark Russinovich's Sysmon also needs an update with the elevation-of-privilege vulnerability CVE-2022-44704 and all supported versions of Visual Studio will be patched. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but not this month)

Adobe has released three category 3 (equivalent to Microsoft's rating of important) updates to Illustrator, Experience Manager and Campaign (Classic). No updates to Adobe Reader this month.