January 2023 Patch Tuesday forecast: Procrastinate at your own risk
The start of a new year means it’s time to start working towards achieving your annual resolutions. Based on the headlines from the December news media, perhaps the most important point is don’t procrastinate! We should all have some sort of goal around improving the speed or efficiency in securing our systems so let’s get too it.
Microsoft disclosed two zero-day vulnerabilities back in September – Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040) and Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082), associated with the ProxyNotShell attacks. A series of interim mitigations were also provided until the patches were released in November. If you procrastinated to deploy these updates the last two months, you are now running at high risk.
Researchers at Crowdstrike announced a new strain of ransomware called Play is using CVE-2022-41080 to access a PowerShell remote service and then CVE-2022-41082 to run remote code. The most important point here is that this method of access via this new vulnerability completely bypasses the interim mitigations provided by Microsoft; however, if you installed the updates in a timely fashion then you are protected. Don’t procrastinate.
There are business reasons why we can’t often move as fast as we would want to, but when announcements for upcoming changes are provided years in advance we need to plan and respond. It has been three years since Microsoft began their Windows 7 and Server 2008/2008 R2 Extended Security Update (ESU) program and the final security updates for these operating systems will drop next week. While they will continue to run well past the deadline, new vulnerabilities will continue to be discovered and these systems will be running at ever increasing risk of exploitation. Don’t forget about the applications running on them as well.
Google announced they are dropping Chrome support for Windows 7 in Feb 2023 and that Chrome 109 will be the last to support these operating systems. More vendors will soon follow in discontinuing their product support for these operating systems as well, so plan accordingly.
A final reminder that Microsoft is ending support of Basic Authentication for Exchange Online this month. They posted another announcement just prior to the holidays putting everyone on final notice that ‘time is up’. All remaining, affected tenants will be notified via Message Center one week prior to it being disabled and they will need to make the required changes. The announcement contains linked KBs with detailed guidance. You can’t really procrastinate on this one because you will soon lose access to Exchange once Microsoft flips the switch off.
January 2023 Patch Tuesday forecast
- There were no preview updates in December as usual due to the holidays, so the first release of the year is always interesting. Contrary to my prediction, the December Patch Tuesday release was small in terms of CVEs fixed, so I anticipate a high number of CVEs addressed in both the operating systems and applications updates. They may also want to end the ESU with a set of major updates to fix as many issues as possible.
- The new first quarter is here, so expect a major update for Adobe Acrobat and Reader.
- Apple released updates for Ventura, Monterey, Big Sur, iOS, and Safari in mid-December. Unless a new zero-day makes an appearance, it should be quiet in the Mac world next week.
- Google released both Stable Channel ChromeOS 108.0.5359.172 and Long Term Support Channel ChromeOS 102.0.5005.194 late this week so I don’t anticipate any other near-term updates.
- The last updates from Mozilla with reported CVEs are from mid-to-late December for Firefox, Firefox ESR, and Thunderbird. There have been additional releases since then, so we may not see a major update from them next week either.
It’s a new year and time to make a fresh start. Last month I asked you to make some New Year’s resolutions you really want and can achieve, so let’s get started.