September 2022 Patch Tuesday forecast: No sign of cooling off

September is here, and for most of us in the northern hemisphere, cooler temperatures are on the way. Unfortunately, the need to maintain and update our computer systems remains hot.

August 2022 Patch Tuesday provided critical updates for all Microsoft operating systems as well as an unexpected update for Internet Explorer 11. These critical updates were driven by another zero-day vulnerability – CVE-2022-34713, found in the Microsoft Windows Support Diagnostic Tool (MSDT). There were also some zero-day vulnerabilities addressed by Apple this month, so let’s take a look before the forecast for next week.

Apple released security updates for all its operating systems – iOS, Catalina, Big Sur, and Monterey, as well as the Safari browser to address two zero-day vulnerabilities. CVE-2022-32893 and CVE-2022-32894 both are out-of-bounds write vulnerabilities that could allow code execution.

Google released a major update to its stable channel version of Chrome 105 for Windows, Mac, and Linux. It contained fixes for 24 vulnerabilities, including 9 that could allow for remote code execution. And of the final note, Hewlett-Packard released an update for its Support Assistant tool, which is installed on all its computer devices. It fixes CVE-2022-38395, an elevation of privilege vulnerability in this widespread, critical diagnostic software. All these products are in common use, so ensure you include these updates in your patch Tuesday process if you haven’t deployed them already.

Microsoft is disabling basic authentication for Exchange Online effective October 1st. This is the final action that began with the first announcement three years ago. The Microsoft Exchange Team blog provides an excellent summary of the timelines involved until the service is shut down permanently in January 2023. You can run the diagnostics tool and work with Microsoft to run a needed protocol until December. But be aware that using the basic authentication service is subject to man-in-the-middle compromise because the credentials are sent in plain text and rely on TLS and the end applications for protection. If you haven’t taken any action to update to modern authentication, your users may be blocked beginning at the end of September.

September 2022 Patch Tuesday forecast

• Microsoft will continue to crank out the updates for Windows 11, Windows 10, and its older operating systems. Expect a continuing high number of CVEs fixed this month. We may see some .NET framework updates.
• Adobe Acrobat and Reader were updated again in August following the major update in July. I wouldn’t expect another update this month.
• Apple released security updates for its OS and Safari browser in mid-August, so I don’t expect another update soon.
• Mozilla continues to release security updates for their applications at the end of the month so don’t expect any updates next week. Firefox 104, Firefox ESR 91.13, Firefox ESR 102.2, Thunderbird 91.13 and Thunderbird 102.2.1 were all updated so include them in your patch process next week.

The zero-day and other critical updates continue to surface, so our need to update systems remains as hot as ever. With these and more coming from Microsoft next week, make sure you have a cool drink nearby!