This month Microsoft offered up a relatively light Patch Tuesday, rolling out 44 patches for its Windows, Office, and development platforms.
The focus for August is squarely on the Windows printing updates (CVE-2021-34481 and CVE-2021-36936) due to active exploits and public disclosures. Unfortunately, these critical and urgent Windows patches are paired with a number of difficult-to-test updates to the Windows networking stack, the NTFS file system, and core graphics system components (GDI). We recommend that you urgently patch Windows systems and then test and deploy your Office, browser, and development patches according to a standard release schedule.
This month we have included some key testing scenarios for Windows, Office and .NET. to support a more focused testing regime for these releases.
Though we generally do not have to worry about Azure when considering enterprise update impact, this month Microsoft addressed a vulnerability for Azure AD Connect (CVE-2021-36949). In addition to this update, Microsoft published detailed technical steps that should further harden your system.
You can find more information about the risks of deploying these Patch Tuesday releases in this infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change and an additional feature:
- Test your printers, with a view to potentially stopping all necessary spooler services.
- Test launching and making changes in Remote Desktop sessions.
- Test using Bluetooth to transfer files and connect Bluetooth input devices.
- Test plugging and unplugging “plug and play” devices such as docking stations and USB input devices.
- Test in ASP.NET Core using ASP.NET Core WebSockets Echo Server. You can read more about WebSockets Server in this article from Microsoft.
- Test your applications and code that exercise Security/Administration within the .NET foundation.
This month’s security fixes relate to how Office (Word) code handles 3D objects. Microsoft has offered some brief testing recommendations for Word that include:
- Test inserting 3D models of various formats into Word, PowerPoint, and Excel.
- Test 3D animations (resizing and rotations)
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds, including:
- After installing this (August) update, the Encrypted File System (EFS) API OpenEncryptedFileRaw (A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device.
- ESU updates to Windows 7 and Server 2008 may still cause issues if you have not activated your ESU MAK key. You can find out more about how to activate your MAK key here.
- Microsoft has resolved one of July’s reported issues relating to Windows Server 2012 (KB5004294) where third-party applications no longer run as expected.
One issue to consider with enterprise deployments using “gold images” for desktop deployments is that the recent (July) update may remove the Microsoft Edge Legacy browser and not replace it with the new Microsoft Edge. This is a particular issue with all Microsoft Servicing Stack updates from March 29, 2021 or later. To avoid this issue, Microsoft recommends: “be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU.” You can read more about this here.
At the time of writing ], there were four major updates to previous released updates:
- CVE-2021-34481 — Windows Print Spooler Remote Code Execution Vulnerability. This is a major update to affected operating systems and an escalation of the severity of this security issue. This update will require further testing before deployment.
- CVE-2021-36934 — Windows Elevation of Privilege Vulnerability. This is a repeat offender, now on its fifth update. There is a lot to attend to here; you can find out more in KB5005357.
- CVE-2020-0765 — Remote Desktop Connection Manager Information Disclosure. This is an informational update to announce the release of Remote Desktop Connection Manager 2.82. No further action required.
And just added yesterday:
- CVE-2021-26423 | .NET Core and Visual Studio Denial of Service Vulnerability. This updated version is important as it addresses a vulnerability in PowerShell that depends upon .NET core. This means that your development/scripting platform will require some attention. You can read more on GITHub here.
Mitigations and workarounds
As of now, it does not appear that Microsoft has published any mitigations or work-arounds for this August release cycle.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired? …not yet!)
Last week, Microsoft published seven updates to the Microsoft Chromium browser Edge that dealt primarily with “use after free” memory issues. There do not appear to be any urgent issues to address with these vulnerabilities and the testing profile is expected to be minimal for most cases. You can read more about these releases on Microsoft Edge Security update page. Microsoft did not release any updates to their legacy desktop browser (IE11) this month, so no further action is required for this cycle.
Though much reduced in number, the August patch cycle is pretty challenging for the Windows platform. We see seven critical updates to the Windows kernel, core graphics engine, networking stack, and scripting components. Adding to this patch cohort are 20 updates rated as important by Microsoft that update the local filesystem, error logging media codecs, and the Windows update process itself. Alone, these updates are worthy of significant testing before deployment to enterprise systems.
The focus here is not so much on the update process, but the urgent requirement to address this month’s zero-day print related issues. If you have to focus on one thing this month, printing and the vulnerabilities CVE-2021-34481 and CVE-2021-36936 should keep you busy. I think one aspect of the urgent and critical updates for this month is that Microsoft has fundamentally changed how printers are installed and managed (we think for the better).
“This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change“
My feeling is that these (printing related) security issues and associated changes required to address them will continue for a little while longer. I suspect that the newly required administrative privileges will have a pernicious effect on printer management software and should not be underestimated. The best case scenario here is that we have a slew of printer and software updates to test and deploy over the short-term. I think that we will more likely see printer vendors having to resolve a number of critical bugs in their administrative tools. Add these Windows updates to your “Patch Now” schedule.
If you are choosing to update your Windows systems on a quarterly basis (you are in a regulated industry) then Microsoft Servicing Stack Updates (SSU) may be an issue for you when applying August updates. All of the July SSU updates (and the previous updates released in May) must be installed before applying this month’s updates. This is a “must do” for all Windows 10 20H1/H2 systems.
This is another light month for Microsoft Office updates with only three updates (Office, Word, and SharePoint), all of which are rated as important by Microsoft for August. Most importantly, there are no Exchange server updates and all three reported Office vulnerabilities do not include preview attack vectors. If you receive “c42q8,” “c42ra,” or “c42rh“ error messages after installing SharePoint updates, Microsoft has issued a note detailing how certain SharePoint workflows are affected (i.e. they stop working).
One of the questions we deal with each month is how Office updates affect system reboots. Here is a quick summary of how Office updates may affect your systems:
- Updates for most client products can be uninstalled. Server updates cannot be uninstalled.
- For client updates, if the application is in use during the update, a reboot is required to complete the installation.
- Server updates always require a reboot.
Add these August Microsoft Office updates to your standard release schedule.
Microsoft Exchange Server
We are in a very good position this month; we do not have any Exchange Server updates.
Microsoft development platforms
Very much like the other platform groups, August’s Update Tuesday brings us (only) three minor updates (CVE-2021-26423, CVE-2021-34532, and CVE-2021-34485, all of which are rated as important and apply to the ASP.NET and .NET environments. Add these relatively low-risk development updates to your standard platform release schedule.
Microsoft has not released Windows specific updates to any Adobe products this month. I keep thinking that we can retire this section as Flash and Shockwave are now (bad) memories. However, I expect that with the current printing issues we will see another update relating to Adobe Reader and PDF converters/generators next month. Watch this space. I would also like to add that this month’s update, like previous updates, will force the removal of Flash from the target machine. Taking this update will remove Adobe Flash from the machine. For more information, see the Update on Adobe Flash Player End of Support.