July 2022 Patch Tuesday: Critical Adobe updates and another Follina fix

While July’s Microsoft Patch Tuesday didn’t bring any named celebrity vulnerabilities this month it does still include one zero-day, CVE-2022-22047 which is under active exploitation and allows for an attacker to gain SYSTEM privileges on the target system. With a severity rating of Important, this zero-day is another example of how defaulting to an “only apply critical security patches” policy can leave environments unnecessarily exposed to threats that can easily be defended against.

Microsoft also announced general availability of Windows Autopatch on July 11, 2022. While Windows Autopatch is a welcome tool for overextended internal IT departments it is not the best match for the multi-tenant and scalable functionality that MSPs need. You can read a deeper analysis of Windows Autopatch here.

Of note is also updated guidance from Microsoft on CVE-2022-30190, aka Follina. Luckily, the guidance from Microsoft is to apply July’s cumulative update as soon as possible. Details are short on what additional fixes for Follina are included in the July Cumulative Update (CU), with it being referred to as a “defense in depth variant”, but the message from Microsoft to update ASAP should be heeded.

Along with the one zero-day there are four vulnerabilities marked as Critical with 89 total vulnerabilities being addressed or receiving updated fixes. This is a slight uptick in the number of fixes from June, but there is not the same sense of urgency around any vulnerability addressed this month.

Microsoft Vulnerabilities

This Microsoft Patch Tuesday brings a wide set of fixes for remote code execution, privilege elevation, and security feature bypass vulnerabilities. Each one of these represents a potential avenue a malicious actor can use as part of a future attack. Protecting against future attacks while old attacks are still being carried out might sound like chasing the wrong goal, but attackers don’t care if vulnerabilities are old or new, they will use whatever is available to them. This is why having good patch management processes and quarterly or monthly auditing is so important.

Thirty-three of this month’s fixes are for Azure. So, if you’re not using Azure, you’ll have a total of fifty-six to contend with. This lower number of vulnerabilities and only one zero-day should keep workloads low for teams responsible for Windows patching.

Microsoft Patch Tuesday Vulnerability Prioritization

The zero-day CVE-2022-22047 should be a top item along with applying the July CU for most environments. There are also four critical updates that should be on your radar.

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment.  These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.

Cumulative Updates

KB5015807 and KB5015811 both bring the normal collection of roll-up security fixes and features from previous months’ updates for Windows 10. KB5015807 includes fixes for touchpad right-click functionality and Wi-Fi connectivity issues so if you have seen these issues in your environment, this CU may resolve them. KB501581 also provides roll-ups and includes update servicing stack updates.

KB5015814 for Windows 11 includes update servicing stack updates and previous KB5014668 improvements.

Known Complications of Note

This month’s KB5015814 cumulative update for Windows 11 continues to seem to be introducing issues with applications requiring 3.5 and older .NET Framework. Microsoft has guidance available here in the Known Issues section.

Other Vendors

Adobe released updates for their Adobe Acrobat and Reader applications. With Adobe Reader’s widespread use, it’s important to include applying timely updates as part of your monthly patching processes. It is also important to have awareness of old versions of Adobe Reader still in circulation in environments as their presence provides an avenue for old vulnerabilities to be exploited.

Google also provided a stable channel update for Google Chrome on July 4, 2022 that includes four security fixes for high severity vulnerabilities. Browsers’ ubiquity and position of being a major vector for threats requires they receive just as much attention as operating system updates. If updating browsers isn’t part of your patch management policies today, it should be part of your policies tomorrow.

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Windows Patch Management routines.

Looking for more information on the Patch Management section? Check out this section on our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd