We have entered the last quarter of 2022 with many people’s favorite holiday – Halloween, at the end of the month. Unfortunately, Microsoft continued to play a few tricks on us. A number of Microsoft Exchange Server vulnerabilities have been reported and exploited, and the rollout and updates of Windows 11 have been a bit ‘rocky’.
Although Patch Tuesday September 2022 turned out to be relatively normal, with the exception of a larger than usual number of vulnerabilities addressed in some of the older operating systems, the problems started soon after.
Exchange zero-day vulnerabilities
Microsoft Exchange Server continues to be the target of attacks as Microsoft disclosed two new zero-day vulnerabilities soon after Patch Tuesday. They announced initial mitigation for Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040) and Remote Server Code Execution Vulnerability (CVE-2022-41082) that are exploited by attacks named ProxyNotShell.
Both CVEs have a CVSS score of 8.8. The mitigation steps are shown in the FAQ section for the first vulnerability. Microsoft has released a second version of a tool they created to automate the necessary mitigation changes; However, recent reports indicate that these vulnerabilities can be exploited from zero-day. It’s vital that these attacks and vulnerabilities remain on your radar as we roll into next week’s Patch Tuesday. Please monitor your systems closely for unusual activity while we await a proven security update to fix the problem.
Windows 11 updates
The first major update to Windows 11 is not going as smoothly as planned. The early rollout of Windows 11 22H2 revealed issues with remote desktop, printers, blue screens on some Intel systems, and more recently, packaged provisioning for new enterprise systems. This latest issue can leave systems in a partial and unstable state.
Microsoft strongly recommends that all users run a Health Check to ensure that your system meets the requirements for the latest Windows 11 updates. There are growing pains with every new operating system and since this is the first major update for Windows 11 it has come as expected. If you are concerned, wait until these upgrade issues are worked out but continue to apply the security updates to your existing Windows 11 21H2 systems. They will not reach EOL until October 2023.
No more basic authentication for Online Exchange
I mentioned last month that Microsoft is disabling basic authentication for Exchange Online effective October 1st. The Microsoft Exchange Team blog provides a great summary of the timelines involved until the service is shut down permanently in January 2023. You’ll be forced to take action soon, if you haven’t already.
The countdown is starting for the end of support on Windows 7 and Server 2008/2008 R2. We only have four months left until the final Extended Security Update (ESU) is released on January 10, 2023. I hope everyone has a plan in place to get those last systems you may have in the move a server room somewhere. Looking ahead in the forecast, Microsoft Server 2012/2012 R2 will enter ESU support after the October 2023 Patch on Tuesday 11 October. If you start planning now, you should consider moving those systems to one of the latest Windows 10-based servers. to avoid the high costs of ESU support.
October 2022 Patch Tuesday forecast
- Expect the trend to continue to address more CVEs in older operating systems. They may be EOL soon, but Microsoft knows that they will probably be running for a while after that and they want to leave them in good condition. The usual Windows 10, 11, and related servers will receive their usual updates. Microsoft has been aware of these Exchange Server vulnerabilities for over a month, so keep an eye out for your security fix.
- Adobe Acrobat and Reader had major updates once a quarter, but that trend has been broken with more frequent updates in the past few months. Although there is no advance announcement yet, expect a detailed update next week. If you missed last Patch Tuesday updates, most of the personal, creative apps received security updates and therefore deployed them soon.
- Apple released several major OS security updates in September, and I haven’t heard of any major vulnerabilities being reported, so I’m not expecting another update next week.
- Google released the Extended Stable Channel Update and the Stable Channel Desktop Update 106.0.5249.103 for Windows, Mac and Linux on Wednesday. I don’t expect any further updates next week.
- Mozilla released the Thunderbird 102.3.1 security update last week, so expect updates soon for Firefox and Firefox ESR.
Hopefully we’ll get a few treats from Microsoft next week with security solutions for Exchange Server, deployment solutions for Windows 11, and more!