April 2022 Patch Tuesday: Are You Ready for Windows Autopatch?

April’s Patch Tuesday brings a significant increase in the number of vulnerabilities being addressed right on the heels of Microsoft’s announcement of Windows Autopatch. With 119 vulnerabilities receiving fixes, one under active exploitation, and 10 as exploitation more likely, teams responsible for patching may need a little more bandwidth this month than last to get patching done in an acceptable timeframe based on the risk profile of their environments. CVE-2022-24521 should be on the top of everyone’s prioritization list as the vulnerability under active exploitation.

We’ll talk about Microsoft’s Windows Autopatch a little further down, so don’t skip that section even if you don’t think you’ll be using it as there are some great takeaways from how it’s planned to be implemented that you can take advantage of in your own patch management workflows.

Microsoft Vulnerabilities

The small break we’ve received over the last few months with lower numbers of Microsoft vulnerabilities requiring patches appears to be over. 119 vulnerabilities in all, with one of them being actively exploited, and 10 critical. Plenty to keep you and your team occupied.

The big vulnerability of note is CVE-2022-24521 which is the zero-day under active exploitation. It is marked as Attack Complexity: Low, Privileges Required: Low, User Interaction: None, and on top of all that, it was reported by the NSA and Crowdstrike. All it’s missing is a flashing neon sign. Make sure this one finds a spot on the top of your priority list.

It’s also ‘third time’s a charm” for CVE-2022-26904 receiving another fix this month after bypasses were discovered for the original two fixes. While complexity of attack is high for this vulnerability it is still labeled as Exploitation More Likely.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Microsoft Patch Tuesday Vulnerability Prioritization

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.

Cumulative Updates

Windows 10 KB5012599, KB5012591, and Windows 11 KB5012592 are our cumulative updates of note this month but there’s not much to note. They include the expected security updates from previous months and some feature improvements with KB5012592 getting 26 total improvements like better toast notification UX and easier default browser selection.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Find out more

Windows Autopatch

Microsoft is introducing a new feature to offload Windows and Microsoft 365 App updates to them as a service. This functionality is going to feel familiar to any MSP who has ever used a Patch Management solution. While many may just brush this off as Windows Autoupdate with a schedule and a price tag, it’s worth understanding how it works and more importantly what your client perception of it may be if they hear about it and have questions.

Many MSP clients will not be able to take advantage of Microsoft’s Windows Autopatch since it requires Windows 10 or Windows 11 Enterprise E3 license or above. There is value, though, in taking a look at its deployment and testing rings and copying that philosophy into your own patch management processes if you don’t already have lab vs production testing workflows in place.  Check out the Microsoft article about Windows Autopatch and their FAQ to learn more.

Summary

Make sure you have the basics covered. Even with all the new cybersecurity concerns you and your clients are facing, there isn’t anything you should be doing tomorrow that you shouldn’t have already been doing yesterday. Following the NIST Cybersecurity Framework, CIS 18 Controls, or other collection of recognized security controls to help guide you.

As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd