October 2022 Patch Tuesday was a little unusual last month, as it “sort of” repeated itself the following week. Microsoft did an about-face and released a series of non-security updates that fixed some discovered connection issues, forcing many to go through another unplanned patch cycle. They also left several zero-day vulnerabilities unaddressed, making us wonder when these open items will be fixed. November could be an important Patch Tuesday to fix these issues.
Reported vulnerabilities in OpenSSL 3 received a lot of media coverage this month. There are two buffer overflow vulnerabilities – CVE-2022-3602 and CVE-2022-3786; the first vulnerability was reported with a critical rating due to the possibility of remote code execution, but was later downgraded to a high rating due to exploitation difficulties. The second vulnerability has been rated High due to the possibility of a denial of service attack.
These vulnerabilities are present in versions 3.0.0 to 3.0.6 of OpenSSL and corrected in version 3.0.7. The limited use of these new releases so far has also contributed to the high ratings. The initial concern was that CVE-2022-3602 could lead to another Heartbleed situation that resulted in widespread exploitation in 2014 of CVE-2014-0160 in OpenSSL. The good news is that these recent CVEs are much harder to exploit, but you should update to the latest version of OpenSSL in your environment during your next patch cycle to protect against future attacks.
Out of band updates
Microsoft released several non-security out-of-band updates this month. In the week since the latest patch on Tuesday, an update has been released to most server and workstation operating systems to address “an issue that may affect certain types of Secure Sockets Layer) and TLS (Transport Layer Security). These connections can have handshake failures. This fix is not necessary if you are not experiencing connection issues. here is the newsletter from Windows 11 if you want to know more.
On October 28, under KB 5020953 Microsoft has released another out-of-band update to address OneDrive sync issues that could prevent it from working. As can be seen in the knowledge base, it requires manual download and installation and is not necessary if you don’t have any issues. As with all Microsoft updates, we’ll get them on Patch Tuesday next week if you haven’t had a chance to update and need them.
Microsoft and Google
I mentioned last month that Microsoft disclosed two new zero-day vulnerabilities on September 30. They provided tools and manual mitigation for the Exchange Server elevation of privilege vulnerability (CVE-2022-41040) and Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082) associated with ProxyNotShell attacks. Despite the October patch on Tuesday and several out-of-band releases throughout the month, we’ve yet to see an update. Maybe next week?
There are three months of updates left for Windows 7 and Server 2008/2008 R2 until the latest Extended Security Update (ESU) is released on January 10, 2023. Google has also announcement they are dropping Chrome support for Windows 7 in February 2023 and that Chrome 109 will be the last to support these operating systems.
One last note before the forecast, Microsoft mentioned at Ignite this year that they are rebranding the 32 year old Office suite as Microsoft 365. Their marketing quietly announced this change and you may see actual name changes from the November updates.
November 2022 Patch Tuesday Predictions
- As I predicted last month, ESU updates continue to get a lot of attention with over 40 CVEs being addressed nearing their end of life. Expect this trend to continue this month.
- Expect an update to Microsoft Exchange Server this month to address the two reported zero-day vulnerabilities. Keep an eye on Microsoft Office as it transitions into Microsoft 365. Like ESU updates, there will likely be a push to address open vulnerabilities in all remaining operating systems before the holidays.
- Adobe Acrobat and Reader usually don’t get a major update this month, but as always, be on the lookout for an update with a few CVEs.
- Apple released its latest operating system macOS 13 named Ventura on October 24. On the same day they released Big Sur 11.7.1 and Monterey 12.6.1. These security updates should be included in this patch cycle if you have not already done so.
- Google’s beta channels were updated this week for ChromeOS and Desktop. You should expect them to be officially released soon. Google updated the long-term support channel to 102.0.5005.184 this week, so you can factor that into your patch activity.
- Mozilla’s latest updates for Thunderbird, Firefox, and Firefox ESR were released on October 18. We might see updates for all three next week.
It would be nice if Microsoft provided us with updates this month that would fix many of the issues I mentioned, and we can get into the holiday season with secure, stable systems and peace of mind. .