October 2022 Patch Tuesday forecast: Looking for treats, not more tricks

We’ve entered the final quarter of 2022 with a favorite holiday for many – Halloween, at the end of the month. Unfortunately, Microsoft has continued to play a few tricks on us. Several Microsoft Exchange Server vulnerabilities have been reported and exploited, and the Windows 11 rollout and updates have been a little ‘rocky’.

Although September 2022 Patch Tuesday turned out to be fairly routine with the exception of a larger number of vulnerabilities than usual addressed in some of the older operating systems, the problems started soon thereafter.

Exchange zero-day vulnerabilities

Microsoft Exchange Server continues to be the target of attacks as Microsoft disclosed two new zero-day vulnerabilities soon after Patch Tuesday. They announced an initial mitigation for the Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040) and Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082) which are being exploited by the named ProxyNotShell attacks.

Both CVEs have a CVSS score of 8.8. The mitigation steps are shown in the FAQ section for the first vulnerability. Microsoft did provide a second variation on a tool they created to automate the required mitigating changes; however, recent reports state these zero-day vulnerabilities are still able to be exploited. It’s critical these attacks and vulnerabilities remain on your radar as we roll into next week’s Patch Tuesday. Monitor your systems closely for unusual activity as we wait for a proven security update to correct the issue.

Windows 11 update

The first major update to Windows 11 is not going as smoothly as planned. The early rollout of Windows 11 22H2 has revealed issues with remote desktop, printers, blue screens on some Intel systems, and most recently, provisioning packaging for new enterprise systems. This latest issue can leave systems partially configured and in an unstable state.

Microsoft strongly encourages all users to run a Health Check to ensure your system meets the requirements for the latest Windows 11 updates. There are growing pains with all new operating systems and since this is the first major update for Windows 11 it has come as expected. If you are concerned, wait until these upgrade issues are worked out but continue to apply the security updates to your existing Windows 11 21H2 systems. They won’t reach EOL until October 2023.

No more basic authentication for Exchange Online

I mentioned last month that Microsoft is disabling basic authentication for Exchange Online effective October 1st. The Microsoft Exchange Team blog provides an excellent summary of the timelines involved until the service is shut down permanently in January 2023. You’ll be forced to take action soon, if you haven’t already.

The countdown is starting for the end-of-support on Windows 7 and Server 2008/2008 R2. We only have four months remaining until the last Extended Security Update (ESU) is released on January 10, 2023. I hope everyone has a plan in place to migrate off those last few systems you may have in the server room somewhere. Looking way ahead in the forecast, Microsoft Server 2012/2012 R2 will go into ESU support following the October 2023 Patch Tuesday on October 11. If you start planning now, you should consider migrating those systems to one of the latest Windows 10-based servers to avoid the high costs of ESU support.

October 2022 Patch Tuesday forecast

• Expect the trend to address more CVEs in the older operating systems to continue. They may be EOL soon, but Microsoft knows they will probably be running for some time afterward and would like to leave them in a good state. The usual Windows 10, 11, and associated servers will receive their usual updates. Microsoft has known about these Exchange Server vulnerabilities for over a month so be on the lookout for a security fix.
• Adobe Acrobat and Reader were having major updates once a quarter, but that trend has been broken with more frequent updates the past few months. Even though there is no pre-announcement yet, expect a minor update next week. If you missed last Patch Tuesday’s updates, most of the personal, creative apps received security updates so deploy them soon.
• Apple released some major security OS updates in September, and I’ve not heard of any reported major vulnerabilities, so I don’t expect another update next week.
• Google released both the Extended Stable Channel Update and the Stable Channel Desktop Update 106.0.5249.103 for Windows, Mac and Linux on Wednesday. I don’t expect any additional updates next week.
• Mozilla released security update Thunderbird 102.3.1 last week, so anticipate updates soon for Firefox and Firefox ESR.

Let’s hope we get a few treats from Microsoft next week with security solutions for Exchange Server, deployment fixes for Windows 11, and more!