On Tuesday, MICROSOFT published another extensive set of updates throughout the Windows ecosystem. This includes four publicly available Windows vulnerabilities and one security flaw that affects the Windows kernel (which has already been reported to be exploited). That is, Windows Update gets the highest “patch now” rating. Keep in mind that if you need to manage an Exchange server, you will need additional privileges and additional steps to complete the update.
It also looks like Microsoft has announced a new way to deploy updates to devices wherever they are. Windows Update for Business Services.. Learn more about this cloud-based management service. Microsoft video Or This FAQ.. I’m includedUseful infographic This month it looks a bit biased (again) because we need to pay all attention to the components of Windows and Exchange.
Key test scenarios
For this month’s major update of Disk Management Utility (which is considered high risk), it is recommended to test partition formatting and partition expansion. This month’s update also includes changes to the following low-risk Windows components:
- Verify that the Windows codec changes render TIFF, RAW, and EMF files correctly.
- Test the VPN connection.
- Test the creation of a virtual machine (VM) and the application of snapshots.
- Test the creation and use of VHD files.
- Make sure that all applications that rely on the Microsoft Speech API work as expected.
The Windows service stack (including Windows Update and MSI installer) was updated this month as follows: CVE-2021-28437Therefore, for large-scale deployments, your application portfolio can include installation, update, self-healing, and repair feature testing.
Every month, Microsoft publishes a list of known operating system and platform-related issues included in this update cycle. We have referred to some important issues related to the latest build of Microsoft, including:
- If you use the Microsoft Japanese Input Method Editor (IME) to enter kanji into an app that automatically allows you to enter furigana characters, you may not get the correct furigana characters. You may need to manually enter the phonetic characters.Also, after installation KB4493509, Devices with some Asian language packs installed may receive the error “0x800f0982–PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. Microsoft is working on a solution and will provide updates in a future release.
- For devices with Windows installations created from custom offline media or custom ISO images, this update may remove Microsoft Edge Legacy, but it will not be automatically replaced by the new Microsoft Edge. If you need to expand your new Edge for Business extensively, see. Download and deploy Microsoft Edge for Business..
- After installation KB4467684, If the Group Policy “Minimum Password Length” is configured with more than 14 characters, the Cluster service may not be able to start with error “2245 (NERR_PasswordTooShort)”.
You can find Microsoft Summary of known issues in this release On one page..
During this April update cycle, Microsoft published a single major revision.
- CVE-2020-17049 -Kerberos KDC Security Feature Bypass Vulnerability: Microsoft has released a security update for the second deployment phase of this vulnerability. Microsoft has published an article (KB4598347) How to manage these additional changes to your domain controller.
Mitigation and workarounds
At the moment, Microsoft doesn’t seem to have released any mitigations or workarounds for this April release.
Each month, the update cycle is categorized into product families (defined by Microsoft) in the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (including web apps and Exchange);
- Microsoft Development Platform ( ASP.NET Core, .NET Core, Chakra Core);
- And Adobe Flash Player (discontinued),
Over the last decade, we’ve seen the potential impact of changing Microsoft browsers (Internet Explorer and Edge) due to the nature of interdependent libraries on Windows systems (both desktop and server). Internet Explorer (IE) used to have direct (some would say) Too (Direct) OS integration. This means managing OS changes (most problematic for the server). As of this month, this is no longer the case. Chromium updates will be separate code bases and application entities, and Microsoft Edge (Legacy) will be automatically removed and replaced with the Chromium code base.You can do it Read more about this update (and delete) process online..
I think this is welcome news, as continuous IE recompilation and subsequent test profiles have been a heavy burden for most IT administrators.It ’s good to see it Chromium update cycle Is moving from a 6-week cycle to a 4-week cycle in line with the rhythm of Microsoft Update. Considering the nature of these changes to the Chromium browser, we will add this update to the standard patch release schedule.
This month, Microsoft worked to address 14 critical vulnerabilities in Windows and the remaining 68 security issues that were rated as critical. Two of the important issues are related to media players. The remaining 12 are related to Windows Remote Procedure Call (RPC) function issues. We have categorized the remaining updates (including critical and moderate ratings) into the following functional areas:
- Windows Secure Kernel Mode (Win32K);
- Windows event trace;
- Windows installer;
- Microsoft graphics component;
- Windows TCP / IP, DNS, SMB server.
See the recommendations above for testing these feature groups. For critical patches: Testing Windows Media Player is easy, but testing RPC calls within and between applications is another issue. To make matters worse, these RPC issues do not address worms, but they are serious personally and dangerous for the group. As a result of these concerns, we recommend a “patch now” release schedule for this month’s update.
Microsoft Office (and of course Exchange)
When evaluating Office updates for each monthly security release, the first question I usually ask about Microsoft Office updates is:
- Is the vulnerability less complex and a remote access issue?
- Does the vulnerability lead to a remote code execution scenario?
- Is this preview pane a vector?
Fortunately, all four issues Microsoft addressed this month have been rated as important and have not reached any of the three “worries” above. In addition to these security basics, I have the following questions about this April Office update:
- Are you running an ActiveX control?
- Are you running Office 2007?
- Are there any language-related side effects after this month’s update?
If you are running an ActiveX control please do not.. If you’re running Office 2007, it’s a great time to move to something that’s supported (such as Office 365). Also, if you’re having language issues, see this support note (see this support note)KB5003251) From Microsoft on how to reset the language setting after the update. Office, Word, and Excel updates are major updates and require a standard test / release cycle. Given the low urgency of these vulnerabilities, we recommend that you add these Office updates to the standard release schedule.
Unfortunately, Microsoft Exchange has four important updates that need attention. It’s not as urgent as last month, but it’s rated “Patch Now”. Be careful when updating the server this time. Many issues have been reported with these updates when applied to servers with UAC control applied.
If you double-click the update file (.MSP) and run it in normal mode (that is, not as an administrator) and try to install this security update manually, some files will not be updated correctly. Be sure to perform this update as an administrator. Otherwise, the server may remain in the state between updates or, worse, be disabled. If you encounter this issue, you will not receive an error message or a message that the security update has not been installed correctly. However, Outlook on the Web (OWA) and Exchange Control Panel (ECP) may not work.
This month, you will definitely need to restart your Exchange Server.
Microsoft development platform
Microsoft has released 12 updates, all rated as important in April.All vulnerabilities addressed are high CVSS With a rating of 7 or higher, it covers the following Microsoft product areas:
- Visual Studio Code-Kubernetes Tool;
- Visual Studio Code-GitHub Pull Requests and Issues Extension;
- Visual Studio Code-Maven for Java Extension.
Looking at these updates and how they’re implemented this month, it’s hard to understand how they’re impacting other than the slightest changes to each application. Microsoft recommends a standard “developer” release schedule, as it has not published significant tests or mitigations for any of these updates.
Adobe flash player
Unbelievable. There’s nothing more to say about Adobe updates. There are no crazy Flash vulnerabilities that hijack this month’s schedule. So, in the words of my favorite news reader, Gnus is not a good Gnus.
We’ll deprecate this section next month and split Office and Exchange updates into separate sections for readability.
Copyright © 2021 IDG Communications, Inc.
April patch Tuesday focus: Windows and Exchange (again)
Source link April patch Tuesday focus: Windows and Exchange (again)