January 2022 Patch Tuesday forecast: old is new again

Welcome to 2022 and another year of patch management excitement! I am quickly approaching 40 years of working in this industry and can honestly say that there is rarely a boring day. If you are up to the challenges presented, this is a great industry to work in and I hope you all are excited to start the new year too. Let’s take a look at some recent events that will influence this month’s patch releases.

I closed last month’s forecast article calling 2021 “the year of supply chain attacks” and this trend continues. Atera remote management software malware has been taking advantage of Microsoft’s digital signature verification vulnerabilities since 2012 to load ZLoader and steal account credentials.

Even though these vulnerabilities have been fixed, changes are not enabled by default. Microsoft Security Advisory 2915720 2017 provides more details on Authenticode and WinVerify Trust features with recommendations for action. Despite the old vulnerabilities, this is a new attack and I’m sure we’ll hear more from Microsoft, with potential changes in next week’s fixes.

The zero-day vulnerability in the Java-based Apache Log4j logging library took the software industry by storm in mid-December. This library is widely used in enterprise and cloud service software. Even though Apache has released the zero-day patch for CVE-2021-44228, it takes some time for companies that use this library to update, test, and release a new version.

To complicate matters, a total of four additional CVEs associated with the Log4Shell bug were identified over the past month, the latest being CVE-2021-44832. Keeping the industry buzzing, Apache has released several updates with this library, now up to version 2.17.1. SaaS products can be quickly updated under DevOps, but updating traditional software products in the field can take significantly longer, leaving them vulnerable to exploitation.

Microsoft has been busy preparing for the first Patch Tuesday in 2022. It has released an out-of-band update for Windows servers that is “experiencing a black screen, slow connection, or overall sluggishness.” These updates were initially a limited release, but are now available for all servers. It also released a script to run on Exchange Server 2016 and Exchange Server 2019, which fixes an issue with date checking that leaves messages stuck in the transport queue. We’ll have to see if these updates show up in future update rollups.

January 2022 Patch Tuesday forecast

  • I mentioned that Microsoft was already busy fixing several issues this year, so we might see more than the 29 and 30 vulnerabilities fixed in Windows 11 and 10 respectively. I anticipate we’ll see updates for Exchange Server and maybe .NET as well.
  • The latest Year 2 Extended Security Updates (ESU) for Windows 7 and Server 2008/2008 R2 will be released next week. If you still need support for the third year, be sure to renew all of your licenses to avoid any disruption in February.
  • Expect an update for Adobe Acrobat and Reader next week. Updates for most Adobe products were released on December 14, so make sure you have them included in your update plan.
  • Apple released security updates for Safari, macOS Catalina, Big Sur, and Monterey in December. Barring new zero-day vulnerabilities, it should be a quiet January for Mac users.
  • Google released a stable desktop update for Chrome 97.0.4692.71 which fixed 37 vulnerabilities. One of these vulnerabilities has been rated as critical and 10 as high, so definitely update your systems this patch cycle. The Extended Stable Channel update for Desktop has also been updated to 96.0.4664.131 for Windows and Mac.
  • Mozilla hasn’t released its usual pre-Patch Tuesday updates for Firefox, Firefox ESR, and Thunderbird, so expect those security updates next week.

I watched my article on the January 2021 forecast, and surprisingly, the focus was on identifying and maintaining third-party software that is embedded in enterprise products. With the malicious code in the Atera product and the rush to update Apache’s Log4Shell vulnerability, this old advice is really new!

Source link

Steven L. Nielsen