Microsoft wrapped up a lot of ‘loose ends’ last month with their November set of updates, but there is still some work to do before the end-of-year holiday season. The ProxyNotShell vulnerabilities were finally fixed, and we saw some improvements in the changes made to communication and authentication exchanges. However, there is some ‘fine tuning’ still needed based on the chatter from patch forums and articles in the news.
Microsoft began introducing security hardening in Netlogon and Kerberos with the November Patch Tuesday releases. Per Microsoft “The November 2022 security update release is the start of phased security hardening changes which will require organizations to monitor their environment and make adjustments to comply with these security hardening changes.” They released three KB articles to help with the required changes:
- KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
- KB5021130: How to manage Netlogon protocol changes related to CVE-2022-38023
- KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
Unfortunately, the November releases resulted in immediate problems for the field and there was an out-of-band set of updates the following week. Despite these releases, there continue to be other problems, specifically with domain controllers, such as a memory leak with the Local Security Authority Subsystem Service (LSASS) which can cause access errors and system reboots over time. This memory issue appears on systems from Windows Server 2008 through Windows Server 2019.
The good news here is that Microsoft also provided a workaround for managing the instability caused by those earlier Kerberos changes. Let’s hope that Microsoft provides some comprehensive updates this month that can fine tune all these nagging stability and connectivity issues.
Google released Chrome 108.0.5359.94 on December 2 to address vulnerability CVE-2022-4262. This is the ninth zero-day update for Chrome this year. If you haven’t updated your systems already, make sure to include this update in your monthly patch cycle.
December 2022 Patch Tuesday forecast
- The second-to-last set of ESU updates will be released next week. You should plan accordingly because these systems become more vulnerable starting in February.
- Expect the usual operating system updates. The number of CVE fixes were lower than expected last month so I anticipate a high number of CVEs closed out to end the year. There was a focus on Microsoft Office, Exchange, and SharePoint Servers last month so the fixes may not be critical, but we’ll see.
- There are no pre-announcements for an Adobe Acrobat and Reader release, but they usually provide us with an end-of-year update.
- It’s been a while since Apple released updates for Ventura, Monterey and Big Sur. Factor in a set of updates for these operating systems before the end of the year.
- There were several beta channels updated by Google this week so I anticipate they may be released to the stable channels next week.
- The last updates from Mozilla for Firefox and Firefox ESR were back on November 15. Thunderbird received an update at the end of November, so we could see updates for all three next week.
It’s hard to believe another year has passed by already. The reality of how fast time passes struck home when I saw that it has now been a year since the Log4j vulnerability was discovered and there are still so many vulnerable systems. As we wrap up this year and move into 2023, think about the progress you’ve made in protecting your systems (or not) and make some New Year’s resolutions you really want and can achieve!