April 2022 Patch Tuesday forecast: Spring is in the air (and vulnerable)
March Patch Tuesday releases followed in the footsteps of February with low numbers of CVEs reported and resolved, and all updates rated as important except one critical update for Microsoft Exchange Server. Could April Patch Tuesday provide the deluge of critical updates we were expecting last month?
Security enhancements for Windows 11
Microsoft has clearly been busy working on security improvements in multiple arenas. Earlier this week, they announced an extensive set of security enhancements for Windows 11, providing protection for what they call ‘chip to cloud’. These new features and enhancements take advantage of hardware assistance from the new Pluton Security Processor at the chip level all the way up to cloud protection via the Windows Defender SmartScreen to prevent phishing and malware injection from malicious websites.
Other security features covered include Credential Guard, Config Lock, Personal Data Protection, and Hypervisor-Protected Code Integrity (HVCI) default enhancements. Microsoft also announced their upcoming Autopatch service targeted at Windows Enterprise E3 customers. Based on the comments from multiple sites, there’s some concern over who really needs this, so we’ll see how it plays out when available.
There were a lot of hot vulnerabilities this month, with CVE-2022-22965, also known as Spring4Shell or SpringShell, in the Spring Framework being the hottest. The Spring Framework is a Java platform used to support Java application development.
Latest reports show that while many platforms may contain this vulnerability, only a small percentage are open to exploitation due to specific environmental configuration. Regardless, like Log4j, you should scan your systems and update to the latest version to get the fix in place.
Apple and VMware
Apple announced two zero-day vulnerabilities, CVE-2022-22675 and CVE-2022-22674, and provided iOS 15 and Monterey updates. We’re still waiting on updates for Catalina and Big Sur.
And one final notification worth mentioning came from VMware in VMSA-2022-011. These eight vulnerabilities impacted multiple versions of five different products, including VMware Workspace ONE Access. Five of the vulnerabilities are rated critical and have CVSS scores from 9.1 to 9.8. Unlike the Spring and Apple vulnerabilities, these eight have not been reported as being exploited in the wild. If you haven’t been following all the action in March and early April, plan on identifying and including the applicable updates for these products in your Patch Tuesday rollout.
I’ll mention again this month that the US Cybersecurity and Infrastructure Security Agency is continuing its strong response to heightened Russian activity adding known exploited vulnerabilities at regular intervals. There are now 616 entries in their catalog. While mandatory for government agencies to address the vulnerabilities by the dates shown, this catalog provides a good starting point for anyone looking for high priority vulnerabilities to identify on their systems and fix.
April 2022 Patch Tuesday forecast
- Plan for more critical updates this month; I don’t see the trend of only important ones continuing. Operating system updates will include the Extended Security Updates (ESUs) for Windows 7 and Server 2008. I hope you are working towards migration to a newer OS as they end in January. Microsoft Office and Exchange Server will see some minor updates.
- Adobe is due for a major update of Acrobat and Reader but there hasn’t been a pre-announcement yet.
- The zero-day release for iOS 15 and Monterey is out, so be on the lookout for similar updates for Catalina and Big Sur soon.
- Google released Long Term Support Channel 96.0.4664.204 for ChromeOS devices containing three High-rated vulnerabilities on Wednesday. The Stable Channel Update for Desktop 100.0.4896.75 for Windows, Mac and Linux was released on Monday. This update includes only one security fix rated High.
- Mozilla released updates for Firefox 99, Firefox ESR 91.8, and Thunderbird 91.8 on Wednesday. Don’t expect any new updates next week.
Don’t forget the Oracle Critical Product Update (CPU) is coming next week on April 19th. With all this Java-related activity from Log4j and Spring, we may see a large set of CVEs in that release.