Legacy apps are at risk with the September Patch Tuesday update







This week’s Patch Tuesday was an unusual update from Microsoft and we have added Windows, the Microsoft development platform, and Adobe Reader to our “Patch Now” schedule.

These updates are driven by the zero-day patch (CVE-2021-40444) to the core Microsoft browser library MSHTML. In addition to leading to significant remote code execution worries, this update may also lead to unexpected behaviours in legacy applications that depend on or include this browser component. Be sure to assess your portfolio for key apps that have these dependencies and perform a full functionality test before deployment. (We have identified some key mitigation strategies for handling ActiveX controls and for protecting your system during your testing and deployment phases.)

You can also find more information about the risks of deploying these Patch Tuesday patchesin this infographic.

Key testing scenarios

There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change and an additional feature:

  • As always, confirm that printing performs as expected with both physical and virtual printers. Verify there are no issues with printer drivers and check for printer driver software still using 32-bit code for application management. 
  • Verify Event Tracing for Windows is working as expected; logs are showing up in Event Viewer.
  • Confirm that connections leveraging Remote Desktop Gateway and Virtual Private Networks (VPNs) work as expected.
  • Test SCCRUN objects like Scripting.FileSystemObject, textStream, Scripting.Dictionary. See this Microsoft document and Dictionary object | Microsoft Docs for additional information.
  • Confirm that users with permissions can access files on SMB shares. Verify that accessing files using the Create / Copy / Delete / Read / Write / Rename / Close functions as expected.

Testing your legacy apps and printing will be a key task when managing this September’s update (and for the foreseeable future). Looking for printer driver software still using 32-bit code for app management is important to avoid “thunking.” This area of concern relates to how memory is handled between 32-bit and 64-bit applications. If you are looking for a scenario where everything breaks, at unpredictable times, and affects core systems, try finding an aging printer driver with old printer management software.

Actually, it’s more likely the results will find you.

Though we often focus on printing and legacy apps, remote working has seen a huge increase during the pandemic. We offer the following VPN-specific testing recommendations this month:

  • Verify that Windows Updates reliably install over VPN and non-VPN connections and that the updates install successfully.
  • Check that your anti-virus works as expected over your VPN connection.
  • Ensure the ability to acquire a DHCP address and network connectivity over wired and wireless network connections with and without 802.1x.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms in the latest update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:

  • This month, all Windows 10 updates include a fix that addresses an issue that causes PowerShell to create an infinite number of child directories. This issue occurs when you use the PowerShell Move-Item command to move a directory to one of its children. As a result, the volume fills up and the system stops responding.

Major revisions

At the time of writing (for the July update cycle), there were four major updates to previously released updates:

  • CVE-2021-1678: Windows Print Spooler Spoofing Vulnerability.
  • CVE-2021-36958: Windows Print Spooler Remote Code Execution Vulnerability.
  • CVE-2021-40444: Microsoft MSHTML Remote Code Execution Vulnerability.

Mitigations and workarounds

This month, Microsoft published a work-around for the MSHTML update. The company (not for the first time) recommends disabling Active X. We recommend disabling ActiveX as a general rule and using Group Policy for your managed platforms. Here are some simple steps to ensure that ActiveX is disabled:

  1. Select the Zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
  2. Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
  3. Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

You can also specify specific registry keys and component IDs for individual apps (e.g. Microsoft Word) —find out more here. Microsoft also recommends that you place documents opened in “Protected View” and use the Office version of Application Guard. And if you have gone for a full Microsoft stack and have deployed Defender, you can use attack surface reduction rules to reduce the threat of exposure to this serious security issue.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired? Not yet).

Browsers

Microsoft released 26 updates for the Chromium-based Edge browser this month. In addition to these patches, the Chromium project also released 11 security related updates this September (Chrome Release Notes). Though the browser wars have ended, and now Microsoft is using Open Source, the one constant type of security issue is the “Use After Free” memory (aka Dangling Pointer) allocation errors. These memory allocation classes of errors are still the most common and this month’s update (have a read of CVE-2021-30610) is a good example of the ongoing battle to stay ahead of the bad guys. The proposed changes to Edge will have minimal or no impact on enterprise systems this month. Add these updates to your standard desktop update schedule.

Windows

Microsoft has released 35 updates to the Windows platform with two rated as critical (CVE-2021-36965 and CVE-2021-26435) for this cycle. Though this is not the largest update we’ve seen for a while, this release affects a number of key platform areas: networking, kernel drivers, Windows Installer, key graphic components (GDI), and some key diagnostic tools (Windows Error Reporting).

However, the real concern this month for testing and deployment teams is what’s been re-released: CVE-2021-40444. It was released earlier this month and has seen two updates since its initial publishing. The MSHTML issue is a real concern as it relates to a core browser component commonly used in a number of applications. It’s like having Internet Explorer embedded in your core line of business application (yeah, I know).

You really do not want this component in your development portfolio and you will need to find out which applications depend on it quickly. We ran a quick scan of our common applications that make use of the MSHTML library and found that between 5-10% of “legacy applications” (applications older than five years) had a direct dependency on MSHTML. These applications will require in-depth testing and are likely areas of concern for any business. Unfortunately, we have to add these Windows updates to our “Patch Now” schedule for this month.

Microsoft Office

Microsoft has released 12 updates to its Office platform this month, all of them rated important. (Correct,  no critical updates for Office, Exchange or SharePoint this patch cycle.) Word, Excel, Visio, and the shared Microsoft Office libraries (e.g. MSO and shared code common to all Microsoft Office components) are affected this month. None of the reported security issues include “preview pane” or other highly vulnerable attack vectors.

Add these September Microsoft updates to your standard release schedule.

Microsoft Exchange Server

We are in the fortunate position this September of not having to deploy urgent updates to Microsoft Exchange Server. That said, there are two updates to SharePoint Server (CVE-2021-38651, CVE-2021-38652) that will require attention. Both require a reboot to the server. So even with a reduced level of urgency, we are all still rebooting our Office servers this month.

No further action required for Exchange Server related updates.

Microsoft development platforms

Microsoft has released three updates to the Visual Studio platform (CVE-2021-36952, CVE-2021-26437, CVE-2021-26434) all rated as important. Usually, we look at these updates and advise adding them to a standard release schedule. But we think CVE-2021-36952 and CVE-2021-26434 require a rapid response due to their potential remote code execution (RCE) and elevation-of-privilege scenarios.

I like to say that RCE issues are today’s issues. Elevations of privilege (EOP) concerns are this afternoon’s problems. Add this Microsoft developer update to your “Patch Now” schedule. And, yes we have not made this recommendation for at least two years.

Adobe (really just Reader)

This section was previously set up to handle the numerous (and sometimes painful) updates to Adobe Flash over the years. With the recent (and hopefully final) update that includes the kill-bits for Flash and Shockwave, our thinking is that we should retire this section. However, Adobe Reader is a core component of most enterprise desktops and is likely to continue as the default PDF reader for a few more years.

So rather than focus on all Adobe products we’ll deal with security related issues with PDFs (especially printing) and Adobe Reader. And as luck would have it, we have an abundance of Adobe updates for September (I am saving “cornucopia” for October), with a particular focus on Acrobat.

Adobe has released 26 updates with seven rated critical as they relate to memory issues that could lead to remote code execution (RCE) scenarios. There are some serious issues with these reported vulnerabilities, though all require user interaction and no reports of public disclosure or exploitation. Add these Adobe Reader updates to your “Patch Now” update release cycle.

And, yes this is the first time that we have made this recommendation.

<