Administrators who already have a Windows zero-day and a public disclosure to deal with will have to tread carefully when applying the May Patch Tuesday security updates.
Microsoft delivered several fixes concentrated in multiple hotspots that will require administrators to test systems thoroughly to avoid any headaches from faulty patches. Microsoft released 73 unique new CVEs for May Patch Tuesday, with six rated critical. The company reissued three CVEs to cover additional products and distributed one advisory to raise the number of total CVEs to 77.
Windows zero-day and a public disclosure top the May Patch Tuesday list
The zero-day is a Windows Local Security Authority (LSA) spoofing vulnerability (CVE-2022-26925) rated important for affected Windows client and server systems. LSA handles the validation of user sign-ins and implements security policies.
In addition to being actively exploited in the wild before a security update was available, this bug had been publicly disclosed. The Common Vulnerability Scoring System (CVSS) score is 8.1, but Microsoft said the CVSS score could increase to 9.8 if an attacker chains this vulnerability to an NTLM relay attack, commonly referred to as a man-in-the-middle attack, on Active Directory Certificate Services servers.
“The exploit is complicated to execute. The attacker needs to be in the environment and needs to interject themselves into that communication chain,” said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. “But if they do, it’s a pretty serious ability to spoof the security within that LSA communication chain.”
Administrators should refer to the KB5005413 article Microsoft published in 2021 to blunt the PetitPotam NTLM relay attack and execute some of its mitigations, such as Server Block Message (SMB) signing and enabling Extended Protection for Authentication on servers running Active Directory Certificate Services.
“Microsoft’s guidance in the specific update is to prioritize domain controllers to get the OS update quickly, because that’s where the focus of this particular exploit has occurred in the wild,” Goettl said.
The other publicly disclosed vulnerability is CVE-2022-22713, a Windows Hyper-V denial-of-service bug rated important that affects several Windows 10 versions (20H2, 21H1 and 21H2) and Windows Server version 20H2 Server Core installations. Despite the relatively low CVSS score of 5.6, the CVE should be considered dangerous because there is proof-of-concept code.
“Due to the fact that it has been publicly disclosed and there’s code samples available, much of the work of figuring out how to attack this vulnerability has been done. Now all they need to do is weaponize it,” Goettl said.
Other security updates of note for May Patch Tuesday include:
- A fix for an Exchange Server vulnerability, an elevation-of-privilege flaw (CVE-2022-21978) rated important for supported Exchange products. The CVSS score is 8.1, and Microsoft provided extensive notes on the steps administrators need to execute to fully harden systems against this vulnerability.
- Corrections for multiple vulnerabilities in three areas of the Windows OS:
- four print spooler vulnerabilities (CVE-2022-29104, CVE-2022-29114, CVE-2022-29132 and CVE-2022-29140)
- 10 Windows LDAP remote-code execution bugs (CVE-2022-22012, CVE-2022-22013, CVE-2022-22014, CVE-2022-29128, CVE-2022-29129, CVE-2022-29130, CVE-2022-29131, CVE-2022-29137, CVE-2022-29139 and CVE-2022-29141)
- eight cluster shared volume flaws (CVE-2022-29134, CVE-2022-29135, CVE-2022-29138, CVE-2022-29120, CVE-2022-29122, CVE-2022-29123, CVE-2022-29150 and CVE-2022-29151)
Goettl recommended that administrators spend extra time to test the functionality related to the patched areas due to the high number of fixes.
Multiple Microsoft products reach the end of the road
Several Windows products received their last update on May Patch Tuesday. Windows 10 Enterprise and Education 1909, Windows 10 Home and Pro 20H2, and Windows Datacenter and Standard Server 20H2 hit their end-of-service date. Microsoft will not issue further security or quality updates for devices that run those branches.
“If anybody has any remaining systems running those systems, they are now a liability. This is this is the time to go and clean those up and move them to newer branches,” Goettl said.
Microsoft plans to retire the Internet Explorer 11 browser on June 15 for Windows 10 systems and recommends customers use the Internet Explorer mode in Microsoft Edge if they need legacy support. Prompts in Windows will nudge users to Microsoft Edge, and Microsoft will eventually disable the browser via Windows Update.
“People need to get Edge deployed, get compatibility mode turned on, and make sure that it’s working OK with their applications,” Goettl said.
Microsoft changes cumulative update model for Exchange Server
Outside of the Patch Tuesday news, Microsoft recently refined its servicing model for two major software products.
Along with news that Windows Server 2022 was generally available in September, the company said it would discontinue the semi-annual channel — which received two feature releases a year — for the server OS, leaving just the long-term servicing channel, which issues a feature release every two or three years.
On April 20, Microsoft said it would scale back its cumulative update schedule for Exchange Server. The company had been issuing quarterly releases, which typically arrived in March, June, September and December. The company said customers found the releases came too frequently and made it difficult to stay current.
“We are moving to a release cadence of two CUs [cumulative updates] per year — releasing in H1 and H2 of each calendar year, with general target release dates of March and September. But our release dates are driven by quality, so we might release updates in April or October, or some other month, depending on what we’re delivering,” the Exchange Team wrote in a blog.
Because Exchange 2013 and Exchange 2016 are out of mainstream support, only Exchange 2019 will receive the next cumulative update in the second half of this year. The earlier Exchange products will continue to receive security updates “as needed” while in extended support, the company said.
Microsoft’s lack of communication related to the on-premises messaging platform continues to vex Exchange administrators. Until Microsoft released the cumulative update blog, administrators had been waiting for the next cumulative update, which was due in December, to arrive.
Also, the next version of Exchange Server remains a mystery. In September 2020, Microsoft said Exchange vNext would arrive in the second half of 2021, but the product remains in limbo along with Skype for Business Server and SharePoint Server.
“Are we going to see an on-prem Exchange Server or will Microsoft pull a fast one and do a hosted Exchange Server, like an Azure Exchange?” Goettl said.