November 2022 Patch Tuesday forecast: Wrapping up loose ends?

October 2022 Patch Tuesday was a little unusual last month, as it ‘kind of’ repeated itself the following week. Microsoft turned around and released a series of non-security updates that fixed some discovered connections issues – forcing many to conduct another unplanned patch cycle. They also left several zero-day vulnerabilities unresolved keeping us wondering when these open items will be resolved. November could be an important Patch Tuesday to wrap up these loose ends.

OpenSSL vulnerabilities

The reported vulnerabilities in OpenSSL 3 sparked a lot of press coverage this month. There are two buffer overflow vulnerabilities – CVE-2022-3602 and CVE-2022-3786; the first vulnerability was reported with a Critical rating due to the possibility of remote code execution, but it was later downgraded to a High rating due to difficulty in exploitation. The second vulnerability was rated High due to the possibility of a denial-of-service attack.

These vulnerabilities are present in 3.0.0 through 3.0.6 versions of OpenSSL and fixed in version 3.0.7. The limited use of these newest versions so far also contributed to the High ratings. The initial concern was that CVE-2022-3602 could lead to another Heartbleed situation which did result in widespread exploitation in 2014 of CVE-2014-0160 in OpenSSL. The good news is these recent CVEs are much harder to exploit, but you should update to the latest version of OpenSSL in your environment during your next patch cycle to protect yourself from the sure-to-come attacks.

Out-of-band updates

Microsoft released several non-security, out-of-band updates this month. In just the week after last Patch Tuesday, there was an update for most server and workstations operating systems to address “an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures.” This fix is not required if you are not experiencing connection issues. Here’s the bulletin from Windows 11 if you want to read more.

On October 28, under KB 5020953 Microsoft released another out-of-band update to address OneDrive synchronization issues which could result in it not working. As can be seen in the KB, it requires a manual download and installation and is not required if you are not experiencing problems. As with all the Microsoft updates, we’ll be getting these come next week’s Patch Tuesday if you haven’t had a chance to update and you do need them.

Microsoft and Google

I mentioned last month that Microsoft had disclosed two new zero-day vulnerabilities back on September 30th. They provided some tools and manual mitigation for the Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040) and Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082) associated with the ProxyNotShell attacks. Despite October Patch Tuesday and several out-of-band releases throughout the month, we’ve not seen an update yet. Maybe next week?

Three months of updates remain for Windows 7 and Server 2008/2008 R2 until the last Extended Security Update (ESU) is released on January 10, 2023. Google also announced they are dropping Chrome support for Windows 7 in Feb 2023 and that Chrome 109 will be the last to support these operating systems.
One final note before the forecast, Microsoft mentioned at Ignite this year it is rebranding the 32-year- old Office suite as Microsoft 365. Their marketing has quietly announced this change and you may see some actual name changes starting in the November updates.

November 2022 Patch Tuesday forecast

• As I anticipated last month, the ESU updates are continuing to get a lot of attention with 40+ CVEs addressed as their EOL approaches. Expect that trend to continue this month.
• Expect an update to Microsoft Exchange Server this month to address the two reported zero-day vulnerabilities. Keep an eye on Microsoft Office as it morphs into Microsoft 365. Like the ESU updates, there will probably be a push to address open vulnerabilities in all the remaining operating systems before the holidays.
• Adobe Acrobat and Reader don’t usually get a major update this month, but as always be on the lookout for an update with a few CVEs.
• Apple released their newest operating system macOS 13 named Ventura on October 24th. On the same day they released Big Sur 11.7.1 and Monterey 12.6.1. These security updates should be included in this patch cycle if you haven’t done so already.
• The Google beta channels were updated this week for ChromeOS and Desktop. You should anticipate them being formally released soon. Google did update the Long Term Support channel to 102.0.5005.184 this week, so you can factor that into your patch activity.
• The last updates from Mozilla for Thunderbird, Firefox, and Firefox ESR were released on October 18th. We could see updates for all three next week.

It will be nice if Microsoft provides us with some updates this month that wrap up a lot of the loose ends I mentioned, and we can move into the end-of-year holidays with secure, stable systems and peace of mind.