Microsoft Patch Tuesday fixes critical security flaws in Windows 10, 11 & Server
June 18 Update below. This post was originally published on June 15
Microsoft has confirmed that the June 14 Patch Tuesday security update will not be the last we will see. Quite why some media outlets covering the latest second Tuesday of the month security patch distribution jumped on the end of an era, final Patch Tuesday, bandwagon, is, frankly, beyond me. Yes, I appreciate that the news reports were referring to the Windows Autopatch announcement from earlier in the year. That April revelation explained how Windows Autopatch would turn Patch Tuesday into just another Tuesday for (some) administrators by largely automating the security patch process. I’m guessing that this is where the confusion comes from but, even so, it’s a baffling case of grasping the wrong end of a pretty straight stick.
You see, what Microsoft certainly didn’t announce was a security update automation and management service for every Windows administrator or user. In fact, I thought it was made quite clear that Windows Autopatch, due to roll out in July, was for Windows Enterprise users only.
Even more precisely, those customers with a Windows 10/11 Enterprise E3 (and up) license using the Azure commercial cloud with the exception of government cloud customers. The Microsoft Windows Autopatch FAQ, updated June 8, also states education (A3) and frontline worker (F3) licenses are not supported. That rules out not only some enterprises and most small businesses but also the massive consumer market.
The real clincher, for anyone wanting to research this matter further, is the existence of a section of the official FAQ that’s headed: ‘Does Windows Autopatch affect Patch Tuesday?’
Here, Microsoft says, “Monthly security and quality updates for supported versions of the Windows and Windows Server operating systems will continue to be delivered on the second Tuesday of the month (commonly referred to as Patch Tuesday or Update Tuesday) as they have been to date.” I’m not sure how much clearer the company could have been, to be honest.
All of which means that there’s nothing to see here. Except for more second Tuesday of the month Windows security patch distributions for the foreseeable future.
In other news, there’s a new addition to the list of problems that Microsoft has confirmed following the June 14 Windows updates. This one, however, only impacts users of Windows 10 (20H2, 21H1, 21H2) and Windows 11 (21H2) with Windows Server users not being affected. The issue, a sign-in failure using Azure Active Directory, is only of concern to the above users with Windows devices that are using Arm processors. “Some scenarios that might be affected,” Microsoft confirms, “are VPN connections, Microsoft Teams, Microsoft OneDrive, and Microsoft Outlook.” While an update to fix this is being investigated, it’s possible to mitigate the issue by using the web versions of affected apps.
It hasn’t been the most issue-free of Patch Tuesdays, it has to be said. You can read about other problems, confirmed by Microsoft, below.
June 17 Update below. This post was originally published on June 15
Microsoft has confirmed three issues that some users are experiencing following the installation of the June 14 Windows update. While a ‘sooner rather than late’ approach to patching security vulnerabilities remains the prudent advice, it is the regularity of post-patch issues that makes this less than straightforward in a business setting as already stated later in this article. Two of the three problems that have been identified so quickly, and confirmed by Microsoft, are likely to impact business users primarily. One, involving Wi-Fi hotspot internet connectivity, could also be problematic for consumers.
The first issue involves the potential failure of operations involving the creation or deletion of copies on an application server that runs volume shadow storage (VSS) aware server applications storing data on remote SMB 3.0 or later file shares. Microsoft confirms that “after installing the June 14, 2022 or later Windows update, backup applications may receive error E_ACCESSDENIED while executing operations related to shadow copy creation.” This appears to be related to security enforcement in the remote VSS for file shares agent service (RVSS) patch for CVE-2022-30154. The fix for this post-patching problem is to install it again on both the application server and file server and impacts Windows Server 2012, 2016, 2019, 2022, and Windows 10 20H2.
The other two problems are still being investigated by Microsoft and an update will be provided in an “upcoming release.” One involves Windows devices using the Wi-Fi hotspot feature with the host losing internet connectivity. The other operations on cluster shared volume files or folders failing with a STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5) error.
As well as fixing the already under attack Follina zero-day exploit, Microsoft has just confirmed three critical vulnerabilities that impact millions of Windows and Windows Server users.
Within the collection of 55 new Microsoft security updates, yes it’s Patch Tuesday time again, there are three that are rated as critical. The good news is that none of these, in fact, none of the 55 listed vulnerabilities, are known to currently be under exploitation in the wild. I can say that despite the CVE-2022-30190 Follina fix being distributed as, bizarrely, Microsoft didn’t list it among the vulnerabilities patched.
The three critical security flaws are as follows
CVE-2022-30136 impacts Windows Server (2012, 2016, 2019) users and is a remote code execution (RCE) threat that could be exploited over the network using a malicious call to a network file system (NFS) service. According to Mike Walters, cybersecurity executive and co-founder of Action1, it is believed “an exploit for this vulnerability has been developed, although this information has not been confirmed.” He also warns that “this June patch should only be applied after the May one has already been installed,” in reference to the CVE-2022-26937 patch last month.
CVE-2022-30139 impacts Windows (10 & 11) and Windows Server (2016, 2019, 20H2, 2022) users and is another RCE but this time impacting the Windows lightweight directory access protocol (LDAP) where default policy values have been changed. According to Vulnerability Database, while the full technical details are as yet unknown, “a simple authentication is necessary for exploitation.” While confirming no public exploit is available, the site suggests one could be worth between $5,000 and $25,000.
CVE-2022-30163 impacts Windows (7, 8.1, 10 & 11) and Windows Server (2008, 2012, 2016, 2019, 20H2 & 2022) users and is another arbitrary remote code execution vulnerability. This time it targets Windows Hyper-V host using a malicious application on a Hyper-V guest. According to the Trend Micro Zero Day Initiative, “Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.”
Obviously, as always, the takeaway is to update as soon as possible in order to shore up these security holes. Well, for consumers at least. The situation becomes more complex for organizations. “Businesses are typically slow in applying patches, yet I’d bet vulnerabilities are still the most common reason organizations are compromised,” Mark Lamb, CEO of HighGround.io, says. “Security standards, including the U.K. Cyber Essentials overview standard, encourage patches to be deployed within 14 days of release for both Operating Systems and Applications, but it’s not uncommon for organizations to take months to get their patches deployed.” Lamb recommends, where possible, businesses should be “diligent in approving and deploying patches on a weekly basis, because,” he says, “you don’t know what the next vulnerability is going to be and whether it could have been mitigated by consistent and diligent patching.”
Critical Security Update For Millions Of Windows 10, 11 & Server Users – Forbes
Microsoft Patch Tuesday fixes critical security flaws in Windows 10, 11 & Server