May’s patch Tuesday updates make emergency patching a must

This past week’s patch started with 73 updates on Tuesday, but ended (so far) with three corrections and one late addition (CVE-2022-30138) A total of 77 vulnerabilities have been addressed this month. Compared to the extensive set of updates released in April, we see a greater need to patch Windows – especially with three zero-days and a number of serious errors in key servers and authentication. The exchange will require attention, too, due New server update technology.

There were no updates this month for Microsoft Browser and Adobe Reader. And Windows 10 20H2 (we rarely knew you) is now out of support.

You can find more information on the risk of installing this patch Tuesday updates in this helpful infographic, And the MSRC Center has posted a good overview of how it handles security updates Here.

The main test situation

In light of the huge number of changes included with this May patch cycle, I have broken down test situations into high-risk and value-risk groups:

High risk: These changes may include performance changes, devalue existing functions, and possibly create new test plans:

  • Check your Enterprise CA Certificate (both new and renewed). Your domain server KDC The new extensions included in this update will be automatically verified Look for failed validation!
  • This update includes a change in driver signature that now includes timestamp checking Authentic code signature. The signed driver should be loaded. Unsigned drivers should not. Check your application run run for failed driver load. Also include checks for signed EXE and DLL.

The following changes have not been documented, including effective changes, but still at least “Smoke test“Before the general deployment of the May patch:

  • Check your VPN client when using RRAS Server: Include connection, disconnect (using all protocols: PPP / PPTP / SSTP / IKEv2).
  • Check that your EMF files open as expected.
  • Check your Windows address book (WAB) Application dependency.
  • Check BeetleCar: Start / stop your machines with Beetle car Active and then inactive.
  • Verify that your credentials are accessible via VPN (see Microsoft Credential Manager)
  • Your test V4 printer driver (Especially with the arrival after that CVE-2022-30138).

This month’s test requires a number of reboots in your test resources and should include (BIOS / UEFI) both virtual and physical machines.

Known problem

Microsoft includes a list of known issues affecting operating systems and platforms included in this update cycle:

  • After installing this month’s update, Windows devices using certain GPUs may close apps unexpectedly, or create an exception code (0xc0000094 module d3d9on12.dll) in apps using Direct3D version 9. Microsoft has released a KIR Update Group Policy to resolve this issue with the following GPO settings: Download for Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1, and Windows 10, version 21H2.
  • After installing updates published on or after January 11, 2022, apps that use the Microsoft .NET Framework to acquire or set up Active Directory Forest Trust information may fail or create an access violation (0xc0000005) error. It depends on the application that appears System.DirectoryServices API Are affected.

Microsoft has really improved its game while discussing recent updates and updates for this release with a useful Update highlights Video

Major corrections

Although there is a much smaller list of patches this month than in April, Microsoft has released three revisions, including:

  • CVE-2022-1096: Chromium: CVE-2022-1096 type confusion in V8. This March patch has been updated to include support for the latest version of Visual Studio (2022) to allow updated rendering of WebView 2 content. Then nothing needs to be done.
  • CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This April patch has been updated to include all supported versions of Visual Studio (15.9 to 17.1). Unfortunately, this update may require some application testing for your development team, as it affects how webview 2 content is rendered.
  • CVE-2022-30138: Windows Print Spooler Elevation of Privilege Vulnerability. This is just an informative change. Then nothing needs to be done.

Mitigation and solution

For the month of May, Microsoft released a key mitigation of a serious Windows Network file system vulnerability:

  • CVE-2022-26937: Windows Network File System Remote Code Execution Weakness. You can defuse the attack by deactivating it NFSV2 And NFSV3. The following PowerShell commands will disable those versions: “PS C: \ Set-NfsServerConfiguration -EnableNFSV2 $ false -EnableNFSV3 $ false.” Once done. You need to restart your NFS server (or specifically reboot the machine). And to make sure the NFS server is properly updated, use the PowerShell command “PS C: \ Get-NfsServerConfiguration”.

Each month, we share the update cycle in the product family (defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development Platform ( ASP.NET Core, .net core and cycle core);
  • Adobe (retired ???, maybe next year).


Microsoft has not released any updates to its Legacy (IE) or Chromium (Edge) browsers this month. We’ve seen a downward trend in the number of complex issues plaguing Microsoft over the past decade. My feeling is that there has been a certain “super plus-plus win-win” for both the development team and the user going into the Chromium project.

When it comes to legacy browsers, we need to be prepared Retirement of IE Coming in mid-June. I mean “ready” – after all, of course, we’ve made sure that legacy apps don’t rely too much on the old IE rendering engine. Please add “IE Retirement” to your browser installation schedule. Your users will understand.


The Windows platform has received six critical updates this month and rated 56 patches significant. Unfortunately, we also have three zero-day exploits:

  • CVE-2022-22713: For this publicly revealed vulnerability to Microsoft’s Hyper-V virtualization platform, an attacker must be directed toward a potential denial-of-service scenario in order to successfully take advantage of an internal race situation. This is a serious weakness, but there are several weaknesses that need to be addressed in order to succeed.
  • CVE-2022-26925: Both have been publicly reported and reported as exploited in the wild LSA authentication problem A real concern. It will be easy to patch, but the larger the test profile, the harder it is to set up quickly. In addition to checking your domain authentication, make sure the backup (and restore) functions are working as expected. We highly recommend the latest check Microsoft Support Note On it Ongoing problem.
  • CVE-2022-29972: This universally-revealed weakness of Redshift ODBC The driver is quite specific to the Synapse application. But if you have any exposure Azure Synapse RBAC Introduction, placing this update is a top priority.

In addition to these zero-day issues, there are three other issues that need your attention:

  • CVE-2022-26923: This is not a complete weakness in Active Directory authentication. “Wormwood“But exploitation is so easy, I wouldn’t be surprised to see it actively attacked soon. Once compromised, this vulnerability will give you access to your entire domain. The risk is much higher.”
  • CVE-2022-26937: The rating of this network file system bug is 9.8 – one of the highest reports this year NFS Not enabled by default, but if you have Linux or Unix on your network, you are probably using it. Patch this issue, but we also recommend upgrading to it NFSv4.1 As soon as possible.
  • CVE-2022-30138: This patch post-patch was released on Tuesday. This print spooler issue only affects older systems (Windows 8 and Server 2012) but requires significant testing before installation. This is not a super critical security issue, but printer-based issues are much more likely. Take your time before setting it up.

Add this month’s Windows Update to your “Patch Now” schedule, given the number of serious exploits and the three zero-days in May.

Microsoft Office

Microsoft has just released four updates for the Microsoft Office platform (Excel, SharePoint), all of which have been rated critical. All of these updates are difficult to use (requiring both user interaction and local access to the target system) and only affect 32-bit platforms. Add these low-profile, low-risk office updates to your standard release schedule.

Microsoft Exchange Server

Microsoft has released a single update to the Exchange Server (CVE-2022-21978) Which is rated important and seems to be quite difficult to exploit. This height-rights-protection requires fully authenticated access to the server, and so far there have been no reports of public exposure or exploitation in the wild.

More importantly this month Microsoft has launched a new one How to Update Microsoft Exchange Server That now includes:

  • Windows Installer patch file (.MSP), which works best for automatic installation.
  • Self-extracting, auto-elevating installer (.exe), which works best for manual installation.

This is an attempt by Exchange Admins to update their server system in a non-administrator context, resulting in worsening server conditions. The new EXE format allows for command line installation and better installation logging. Microsoft has helpfully released the following EXE command line examples:

“Setup.exe / IAcceptExchangeServerLicenseTerms_DiagnosticDataON / PrepareAllDomains”

Note that Microsoft recommends that you have a% Temp% environment variable before using the new EXE installation layout. If you follow the new method of using EXE to update exchanges, remember that you still need to set up (separately) monthly SSU Update to make sure your server is up to date. Add this update (or EXE) to your standard release schedule, confirming a complete reboot when all updates are complete.

Microsoft Development Platform

Microsoft has released five importantly rated updates and a single patch with low ratings. All of these patches affect Visual Studio and the .NET Framework As you update your Visual Studio instance to address these reported vulnerabilities, we recommend that you read the Visual Studio April Update Guide..

To learn more about specific issues from a security perspective, May 2022 .NET Update Blog Posting It will be useful. Nothing like that.NET 5.0 has now reached the end of support And before you upgrade to .NET 7, it may be worth checking some compatibility or “Broken change“That needs to be fixed. Add these medium-risk updates to your standard update schedule.

Adobe (Really Reader Only)

I thought we were seeing a trend. There are no Adobe Reader updates for this month. That said, Adobe has released several updates to other products available here: APSB22-21. Let’s see what happens in June – maybe we can retire Both Adobe Reader and IE.

Copyright © 2022 IDG Communications, Inc.

Leave a Reply

Your email address will not be published.