February 2022 Patch Tuesday Predictions: A Rocky Start to 2022
The January 2022 Patch Tuesday was tough for Microsoft — and for us. In the week following Patch Tuesday, Microsoft was forced to pull and then reissue several updates for Windows Server 2012, 2019, and 2022, as well as Windows 10 and 11.
Three major issues have been addressed in these re-released updates. The first issue was that some Windows Server 2019 and 2022 domain controllers were forced into a reboot loop; the second issue was that Hyper-V would not start on Windows Server 2012; and the third issue involved dropped L2TP VPN connections on Windows 10 and 11 workstations.
It was a frustrating week for many IT teams as they struggled with outages caused by the release of the initial update on Tuesday and subsequent patched versions. While we all want to deploy updates as quickly as possible to stay ahead of the threat, this past month has reminded us of the value of a gradual rollout, validating stability on test systems before release. distribution in production.
The Log4j or Log4Shell bug continues to get attention in the news. Vendors quickly responded to the widespread and easily exploitable vulnerability with product updates, so be sure to consider these application updates in your next update cycle. A quick warning is that a host of Log4j-specific vulnerability scanners have appeared on the market. Be sure to use one from a trusted vendor, as malicious versions come and go.
More vulnerabilities in WordPress have been reported. You may recall that in the latter part of last year, vulnerabilities were identified in the All in One SEO plugin and some of the starter templates. Together, these vulnerabilities affected several million websites. This time the vulnerability is reported in a popular plugin called Essential Addons for Elementor, which allows remote code execution. A fix is available and should also be considered this month if you are using the plugin.
And finally, 23 CVEs have been reported in InsydeH2O’s Unified Extensible Firmware Interface (UEFI) firmware. This firmware is used by many major hardware manufacturers including Dell, HP, Lenovo, Microsoft and others. Like the Log4Shell vulnerabilities, these cannot be patched directly, and respective hardware vendors must update, test, and distribute patched firmware as part of their packages. The firmware update for the vulnerabilities is available, but it will take a long time for all vendors to respond and individual machines to be updated. These particular CVEs in firmware are scary because “the privileges extend beyond those of the operating system kernel, so any security issues in this space can have serious consequences for the vulnerable system.” Please pay close attention to these firmware updates as they become available.
Despite the issues mentioned at the beginning of this article, Microsoft resolved 97 unique CVEs last Tuesday, nine of which were classified as critical. I sure hope they spend a lot more time testing ahead of next week’s Patch Tuesday releases so we don’t have to relive this mess.
February 2022 Patch Tuesday Predictions
- I suspect we’ll see fewer CVEs covered, but expect the usual Microsoft builds. Last month we had the first security release of the .NET framework in over a year, so I’m not expecting another. Also, a version of Exchange Server with three CVEs was released last month, so I don’t expect another next week.
- Year 3 of Extended Security Updates (ESU) for Windows 7 and Server 2008/2008 R2 begins next week. This is the last year of support, so phase out those older operating systems.
- Adobe released a security update for Acrobat and Reader last Tuesday addressing 26 CVEs including 16 critical. Their monthly releases have slowed down, so I don’t expect anything major this month.
- Safari, macOS Catalina, Big Sur and Monterey, and iOS all received security updates on January 26. Nothing is scheduled for next week.
- Google’s Chrome 98 stable channel update for Windows, macOS, and Linux was released on Tuesday. It addressed 27 vulnerabilities and eight of them were rated High. Plan to pick this one up soon if you haven’t already.
- Mozilla released January Patch Tuesday updates for Firefox, Firefox ESR, and Thunderbird, so expect new security updates again next week.
It was a tough kick off for our Patch Tuesday cadence in January. Microsoft should deliver a higher quality set of updates this month, and major third-party updates are already available, so let’s plan for a simple, routine set of patches next week.