February 2022 Patch Tuesday forecast: A rough start for 2022

January 2022 Patch Tuesday was a rough one for Microsoft — and us. In the week following Patch Tuesday, Microsoft was forced to pull and subsequently re-issue several updates for Windows Server 2012, 2019, and 2022, as well as Windows 10 and 11.

There were three major issues that were resolved in these re-issued updates. The first issue was some Windows Server 2019 and 2022 domain controllers were forced into a reboot loop; the second issue was Hyper-V would not start on Windows Server 2012; and the third issue involved broken L2TP VPN connections on Windows 10 and 11 workstations.

It was a frustrating week for many IT teams as they had to work through interruptions caused by the initial update release on Tuesday, and then the subsequent corrected releases. While we all want to roll out the updates as quickly as possible to stay ahead of the threat, this last month reminded us of the value in a phased rollout, validating stability on test systems before distribution to production.

The Log4j or Log4Shell bug continues to garner attention in the news. Vendors have been rapidly responding to the widespread and easily exploited vulnerability with product updates so be sure to factor these application updates into your next update cycle. One quick note of warning is that a host of Log4j-specific vulnerability scanners have appeared on the market. Ensure you use one from a trusted vendor because malicious versions come and go.

More vulnerabilities in WordPress have been reported. You may recall in the latter part of last year, vulnerabilities were identified in the All in One SEO plugin and some of the Starter Templates. Together, these vulnerabilities impacted several million websites. This time, the vulnerability is reported in a popular plug-in called Essential Addons for Elementor, which allows for remote code execution. A fix is available and should also be considered this month if you use the plugin.

And finally, 23 CVEs were reported in the Unified Extensible Firmware Interface (UEFI) firmware from InsydeH2O. This firmware is used by many major hardware manufacturers including Dell, HP, Lenovo, Microsoft, and others. Like the Log4Shell vulnerabilities, these cannot be patched directly, and the respective hardware vendors must update, test, and distribute the patched firmware as part of their packages. The firmware update for the vulnerabilities is available, but it will take a long time for all vendors to respond and for individual machines to be updated. These particular CVEs in firmware are scary because the “privileges exceed those of the OS kernel, so any security issues in this space can have severe consequences for the vulnerable system.” Please give plenty of attention to these firmware updates as they become available.

Despite the issues mentioned at the start of this article, Microsoft did resolve 97 unique CVEs last Patch Tuesday, nine of which were rated as Critical. I sure hope they are going to spend a lot more time in testing prior to next week’s Patch Tuesday releases so we don’t have to relive that mess.

February 2022 Patch Tuesday forecast

• I suspect we will see fewer CVEs addressed but expect the usual releases from Microsoft. Last month we had the first .NET framework security release in over a year, so I don’t expect another. Likewise, an Exchange Server release with three CVEs was released last month so I don’t anticipate another next week.
• Year 3 of Extended Security Updates (ESU) for Windows 7 and Server 2008/2008 R2 begins next week. This is the last year of support, so phase out these old operating systems.
• Adobe released a security update for Acrobat and Reader last Patch Tuesday addressing 26 CVEs with 16 rated critical. Their monthly releases have slowed down, so I don’t expect anything major this month.
• Safari, macOS Catalina, Big Sur and Monterey, and iOS all received security updates on January 26. Nothing is anticipated next week.
• Chrome 98 Stable Channel Update from Google for Windows, macOS, and Linux was released on Tuesday. It addressed 27 vulnerabilities and eight of them were rated High. Plan on picking this one up soon if you haven’t done so already.
• Mozilla released January Patch Tuesday updates for Firefox, Firefox ESR, and Thunderbird so expect new security updates again next week.

It was a rough kickoff to our Patch Tuesday cadence in January. Microsoft should be providing a higher quality set of updates this month and the major third-party updates are already available, so let’s plan for a simple, routine set of patching next week.