This is a relatively light Patch Tuesday update from Microsoft, though wo significant vulnerabilities in the Windows platform (CVE-2021-38631 and CVE-2021-41371), both relating to Remote Desktop Protocol handling, have been disclosed and are lending some urgency to applying Windows updates. And we have another technically challenging update to Microsoft Exchange Server to manage as well.
Pay close attention to the Servicing Stack Updates (SSU) this month, as it may affect how your applications install (with particular focus on the un-installation process). Microsoft has already said there will not be a C patch cycle release next month, which means the December Patch Tuesday release should be light. You can find more information about the risk of deploying these Patch Tuesday updates with this infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature:
- You will have to test your printers again. Try using Notepad first, then Adobe Reader (PDFs) and include images (PNG, JPG, BMP). Testing is especially important if you have V3 printer drivers.
- If your line-of-business apps are using COM (or heaven forbid DCOM), you will need a full burn-in test. Changes in the COM STA Threading model could lead to difficult trouble-shooting scenarios.
- Using the Microsoft Movies and TV application, play MP4 videos and check for audio issues.
- You may not be using Internet explorer (IE), but applications may have dependencies on IE components (IEFRAME.DLL). Assess your application portfolio for this key dependency, and then test for Office component integration issues and tabbed browsing.
- Also, have a look at Microsoft Timeline, as minor changes have been made to how your data is managed.
The biggest issue (or engineering task) this month is the need to validate that your applications install, repair, update, and uninstall correctly. Check your Windows Installer logs (0’s for success). I think this is a big job as we commonly focus on application installations; this time we have to look at how applications are uninstalled. Once an application has been uninstalled, the target machine should be clean, error logs empty, and no applications broken. Getting this right will allow for the next MSI Installer update to run smoothly.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:
- After installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For more information and a workaround, see KB5005322.
- Some Windows 10 LTSC systems are encountering an issue after installing KB4493509. Devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” Microsoft is currently working on a fix.
- Windows print clients might encounter the following errors when connecting to a remote printer shared on a Windows print server: 0x000006e4 (RPC_S_CANNOT_SUPPORT), 0x0000007c (ERROR_INVALID_LEVEL), 0x00000709 (ERROR_INVALID_PRINTER_NAME). Microsoft is working on this issue. We expect that there may be an OOB update to address these before December’s B release (Patch Tuesday). The good news here is that most of these reported printer issues relate to corporate environments (e.g., printer servers combined with a domain controller); most home users will not be affected by the security concerns or printing problems.
After installing this month’s Microsoft update, connecting to devices in an untrusted domain using Remote Desktop might fail to authenticate when using smart card authentication. You might receive the prompt “Your credentials did not work.” This issue is resolved using Known Issue Rollback (KIR) — which is kind of exciting. Microsoft now allows for policy-driven execution paths of managed code. In case you encounter issues, you can roll back the execution path of the affected files, putting that piece of code back to a “pre-patch” state. To do this successfully, you need to make sure you have the correct policy files for your platform. You can find the relevant policy files for each Windows version here:
One of the best ways to see whether there are known issues that affect your target platform is to check out the many configuration options for downloading patch data at the Microsoft Security Update guidance site or the summary page for this month’s security update.
No major revisions (or even documentation updates) this month.
Mitigations and workarounds
As of Nov. 12, Microsoft has not published any mitigations or workarounds relating to this month’s update cycle.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired???, not yet).
Microsoft has released a single important update to Microsoft Edge. At its core, this patch is a Chromium code update, but it affects how Edge’s IE mode operates. The potential enterprise impact of this update is marginal, so add this relatively straightforward update to your regular release schedule.
The Microsoft Windows platform received 28 updates, with three rated as critical and the remaining patches rated as important. The biggest concern are the two publicly reported Remote Desktop Protocol (RDP) issues (CVE-2021-38631 and CVE-2021-41371). Microsoft has been working on the RDP protocol extensively for the past year with significant updates released with each Patch Tuesday. I have always had my doubts about RDP, though Microsoft offers some guidance and tools to secure your remote desktops. Given the recent supply chain problems, and the lack of fully integrated RDP alternatives, I think patching early and often is our best option. Add these updates to your Windows “Patch Now” schedule.
Microsoft released four updates, all of them rated as important. Affecting Access, Word, and Excel, these vulnerabilities require both local access to the target system and user interaction. Unfortunately, one Excel related issue (CVE-2021-42292) has been reported as exploited (though registered by Microsoft as proof-of-concept). Though these Office related security issues are not “wormable,” a publicly reported exploitation of a remote code execution vulnerability raises the risk significantly for enterprise customers. Add these updates to your “Patch Now” release schedule.
Microsoft Exchange Server
Microsoft released three important updates (CVE-2021-1349, CVE-2021-42305, CVE-2021-42321) for Exchange Server this month. All three updates link back to a single Knowledge Base (KB) article, KB5007049. These updates will require a server reboot and there is a distinct probability that this may cause an installation failure or break the Exchange Server (“break” as in no remote login). There are a number of known issues with this update relating to manual installs and UAC issues. Thoroughly test this update before any production deployments.
Microsoft development platforms
This month’s update is a little more interesting than usual. We have two updates (both rated as important) to Visual Studio that could lead to elevation-of-privilege scenarios. And unusually, Microsoft has added an Open Source project vulnerability from August to this month’s November update. The critical rated issue in the OpenSSL cryptography framework (CVE-2021-3711) is consumed by Microsoft Visual Studio and therefore was considered a significant risk to Visual Studio users. This is a great call by Microsoft and really demonstrates its commitment to these types of open-source projects. Add these updates to your regular developer roll-out schedule.
Adobe (really just Reader)
This month, Adobe has released three lower rated issues affecting their RoboHelp (APSB21-87), InCopy (APSB21-110) and Creative Cloud desktop (APSB21-111) applications. Though there are no updates to Adobe Reader, we highly recommend that you test out printing your PDF’s due to the changes in the Windows printing system. In addition, you may need to check that the auto-update feature is still working in Adobe Reader once this month’s update has been installed.