Administrators who already have a Windows zero-day and a public disclosure to deal with will have to tread carefully when applying the May Patch Tuesday security updates.
Microsoft delivered several fixes concentrated in multiple hotspots that will require administrators to test systems thoroughly to avoid any headaches from faulty patches. Microsoft released 73 unique new CVEs for May Patch Tuesday, with six rated critical. The company reissued three CVEs to cover additional products and distributed one advisory to raise the number of total CVEs to 77.
The zero-day is a Windows Local Security Authority (LSA) spoofing vulnerability (CVE-2022-26925) rated important for affected Windows client and server systems. LSA handles the validation of user sign-ins and implements security policies.
In addition to being actively exploited in the wild before a security update was available, this bug had been publicly disclosed. The Common Vulnerability Scoring System (CVSS) score is 8.1, but Microsoft said the CVSS score could increase to 9.8 if an attacker chains this vulnerability to an NTLM relay attack, commonly referred to as a man-in-the-middle attack, on Active Directory Certificate Services servers.
"The exploit is complicated to execute. The attacker needs to be in the environment and needs to interject themselves into that communication chain," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. "But if they do, it's a pretty serious ability to spoof the security within that LSA communication chain."
Administrators should refer to the KB5005413 article Microsoft published in 2021 to blunt the PetitPotam NTLM relay attack and execute some of its mitigations, such as Server Block Message (SMB) signing and enabling Extended Protection for Authentication on servers running Active Directory Certificate Services.
"Microsoft's guidance in the specific update is to prioritize domain controllers to get the OS update quickly, because that's where the focus of this particular exploit has occurred in the wild," Goettl said.
The other publicly disclosed vulnerability is CVE-2022-22713, a Windows Hyper-V denial-of-service bug rated important that affects several Windows 10 versions (20H2, 21H1 and 21H2) and Windows Server version 20H2 Server Core installations. Despite the relatively low CVSS score of 5.6, the CVE should be considered dangerous because there is proof-of-concept code.
"Due to the fact that it has been publicly disclosed and there's code samples available, much of the work of figuring out how to attack this vulnerability has been done. Now all they need to do is weaponize it," Goettl said.
Other security updates of note for May Patch Tuesday include:
Goettl recommended that administrators spend extra time to test the functionality related to the patched areas due to the high number of fixes.
Several Windows products received their last update on May Patch Tuesday. Windows 10 Enterprise and Education 1909, Windows 10 Home and Pro 20H2, and Windows Datacenter and Standard Server 20H2 hit their end-of-service date. Microsoft will not issue further security or quality updates for devices that run those branches.
"If anybody has any remaining systems running those systems, they are now a liability. This is this is the time to go and clean those up and move them to newer branches," Goettl said.
Microsoft plans to retire the Internet Explorer 11 browser on June 15 for Windows 10 systems and recommends customers use the Internet Explorer mode in Microsoft Edge if they need legacy support. Prompts in Windows will nudge users to Microsoft Edge, and Microsoft will eventually disable the browser via Windows Update.
"People need to get Edge deployed, get compatibility mode turned on, and make sure that it's working OK with their applications," Goettl said.
Outside of the Patch Tuesday news, Microsoft recently refined its servicing model for two major software products.
Along with news that Windows Server 2022 was generally available in September, the company said it would discontinue the semi-annual channel -- which received two feature releases a year -- for the server OS, leaving just the long-term servicing channel, which issues a feature release every two or three years.
On April 20, Microsoft said it would scale back its cumulative update schedule for Exchange Server. The company had been issuing quarterly releases, which typically arrived in March, June, September and December. The company said customers found the releases came too frequently and made it difficult to stay current.
"We are moving to a release cadence of two CUs [cumulative updates] per year -- releasing in H1 and H2 of each calendar year, with general target release dates of March and September. But our release dates are driven by quality, so we might release updates in April or October, or some other month, depending on what we're delivering," the Exchange Team wrote in a blog.
Because Exchange 2013 and Exchange 2016 are out of mainstream support, only Exchange 2019 will receive the next cumulative update in the second half of this year. The earlier Exchange products will continue to receive security updates "as needed" while in extended support, the company said.
Microsoft's lack of communication related to the on-premises messaging platform continues to vex Exchange administrators. Until Microsoft released the cumulative update blog, administrators had been waiting for the next cumulative update, which was due in December, to arrive.
Also, the next version of Exchange Server remains a mystery. In September 2020, Microsoft said Exchange vNext would arrive in the second half of 2021, but the product remains in limbo along with Skype for Business Server and SharePoint Server.
"Are we going to see an on-prem Exchange Server or will Microsoft pull a fast one and do a hosted Exchange Server, like an Azure Exchange?" Goettl said.
This year's VMworld conference ran virtually from Oct. 5 through Oct. 7. Read the latest news and announcements about and from ...
TechTarget hosts its Best of VMworld Awards to recognize outstanding products that help organizations create infrastructure that ...
The annual VMworld conference runs from Aug. 25 to Aug. 29. Get all the information you'll need by reading the latest news and ...
Still lagging behind the Big Three in the cloud market, IBM hopes its coopetition partnership agreement with AWS helps close down...
IBM's focus on hybrid cloud efforts, including Cloud Paks and OpenShift, makes for a competitive option. See if its strategy fits...
IT teams can use a range of native management and monitoring tools from Google to ensure their public cloud deployments are ...
Over the years, many third-party schema comparison tools have popped up to support SQL Server.
In the case of Azure, Microsoft’s numerous development-focused security resources are fantastic but what if the application is ...
Microsoft’s recent efforts with SQL Server have been focused as much on re-engineering it for the Azure cloud as on enhancing the...
Organizations that support both Windows and Mac desktops must approach them differently, but there is plenty of overlap with the ...
Organizations that need desktop management software should survey a variety of platform types. UEM can often provide the most ...
Organizations with both Mac and Windows devices can use some of their Windows-focused AD setup to address macOS management tasks.
VPN and DaaS can both give remote access to corporate resources, but they differ in key ways. IT admins should consider these ...
While Azure Virtual Desktop and Windows 365 both offer a virtual desktop service from Microsoft, major differences exist between ...
Desktop as a service stands out for its scalability, but IT admins should also keep factors such as customizability in mind when ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info