October brings four zero-day exploits and 74 updates to the Windows ecosystem, including a hard-to-test kernel update (CVE-2021-40449) that requires immediate attention and an Exchange Server update that requires technical skill and due diligence (and a reboot). The testing profile for the October Patch Tuesday covers Windows error handling, AppX, Hyper-V and Microsoft Word. We recommend a Patch Now schedule for Windows and then staging the remaining patch groups according to your normal release pattern.
You can find more information on the risk of deploying these Patch Tuesday updatesin this infographic.
There are no reported high-risk changes to the Windows platform. However, there is one reported functional change and an additional feature added:
I think it is now safe to say that the Microsoft AppX format was not as widely adopted in the enterprise as expected. Even so, there were significant upgrades to Microsoft AppX containers and deployment tools included in this October update. If you have an enterprise Microsoft “store” for your applications, we recommend installing/uninstalling both your AppX applications and their associated runtimes.
On the topic of lesser-used Windows features, the Microsoft NTFS file system was updated to include a fix for symbolic links (helpful with UNIX migrations). If you are in the middle of a large UNIX migration, you may want to pause things a little and test out some large (and parallel) file transfers before deploying this update.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:
At the time of writing this for this July update cycle, there were two major updates to previous released updates:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft published 33 updates to the Chromium-based Edge browser this cycle. Given how Chromium does not integrate deeply into the desktop or server operating system, potential collisions or dependency issues are unlikely. You can find out more about the Chromium project’s update cycle andrelease notes here.
However one of the key components (IEFRAME.DLL) of Internet Explorer (IE) was updated this month. It is possible that third-party applications and in-house developed software may depend on this key library. For this particular update, It looks as if Microsoft has changed how browsers tabs are handled, particularly how they are created. If you receive “Invalid Pointer Bad Ref Count” (or similar) errors in your testing, it may very well be related to this update to the core Internet Explorer system libraries (DLL’s). Add both of these groups of browser updates to your regular update schedule.
This month, Microsoft published four critical updates for the Windows ecosystem and a further 45 patches rated as important. Unfortunately, update CVE-2021-40449 for the Windows Kernel has been reported as exploited. This pairs a difficult-to-test, low-level update to Windows core systems with an urgency to mitigate or patch. We have included testing guidance in a section above that covers a lot of this month’s Windows changes. However, testing kernel updates is very tough. Test your core apps thoroughly, release your updates in rings or stages, and add this update to your Patch Now schedule.
Microsoft released 16 updates to Microsoft Office and Microsoft SharePoint, with one rated as critical (CVE-2021-40486) affecting Microsoft Word and the remaining patches affecting Excel and SharePoint. The Word security issue, while serious, has not been publicly disclosed and there are no reports of exploits in the wild. Note: SharePoint will require a reboot after its update. We recommend adding these to your regular patch release schedule.
Unfortunately, Microsoft Exchange Server updates are back for October. There are four patches for Exchange Server (both 2016 and 219), all rated as important. However, CVE-2021-36970 has a base rating of 9.0, according to the vulnerability rating system CVSS. This is really high (meaning serious) and usually would warrant a critical rating from Microsoft. However, due to the limitation of the “scope” of vulnerability, the potential damage is much reduced.
Microsoft has published updated documentation detailing a number of known issues relating to this month’s Exchange Server patches where a manual application of MSP files does not correctly install all of the necessary files. In addition, misapplying this update may leave your Exchange server in a disabled state. This issue applies to the following October updates:
This installation issue is a particular concern when applying updates using User Account Control (UAC), and does not happen when you use Microsoft Update. Otherwise, note that this Exchange update will require a server reboot; we recommend adding this update to your regular update schedule.
Microsoft released three updates to Visual Studio and one patch for .NET 5.0 this month. All were rated as important by Microsoft and at worst could lead to information disclosure or “denial of service” (application specific and localized). The Visual Studio updates are very straightforward and should be included in your standard development release cycle.
Adobe released four updates to its core Reader product group with security bulletin APSB1221-104. Two of these updates (CWE-416 and CWE-787) are rated as critical by Adobe. While both of these have CVSS scores of 7.8 (which is pretty high for a PDF reader) they do not require an urgent update. Add these to your regular update schedule.