Virtual Administrator’s November 2022 Patch Recommendations
This month Microsoft released patches for 65 vulnerabilities with 10 rated “Critical” in severity.
All patches will be approved in our patch policy. (Exception KB5001716 – see below)
There are six actively exploited vulnerabilities this month. The Exchange vulnerabilities (CVE-2022-41082, CVE-2022-41040) discovered last month are being patched. The attacker must be authenticated to exploit.
CVE-2022-41128 is Critical Remote Code Execution (RCE) affecting the JScript9 scripting language.
CVE-2022-41073 is the latest of the PrintNightmare legacy of vulnerabilities affecting the Windows Print Spooler. CVE-2022-41125 is Elevation of Privilege (EoP) vulnerability, affecting the Windows Cryptography (CNG) Key Isolation service.
Disclosed in October CVE-2022-41091 is a Security Feature Bypass of “Windows Mark of the Web”.
Last month’s CVE-2022-38042 introduced “Domain join hardening changes” that may cause problems – see “Known Issues” below. Admins should be aware of Kerberos protocol changes (CVE-2022-37966 and CVE-2022-37967) being introduced – see “Heads Up!” below.
Advisory ADV220003 is a Microsoft Defense in Depth Update affecting Office 2013/2016.
FYI Denied KB5001716
This is an Optional Update which can automatically install new feature updates. It may also trigger warnings to end users. Our policy has always been to let our partners decide when to install feature updates.
“Update for Windows Update Service components”
“When this update is installed, Windows may attempt to download and install feature updates to your device if it is approaching or has reached the end of support for your currently installed Windows version. Feature updates offer new functionality and help keep your device secure.
After this update is installed, Windows may periodically display a notification informing you of problems that may prevent Windows Update from keeping your device up-to-date and protected against current threats.”
Head Up! Kerberos protocol changes
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
“Windows updates address security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.”
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
“Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.”
Exploited: CVE-2022-41040, CVE-2022-41073, CVE-2022-41082, CVE-2022-41091, CVE-2022-41125, CVE-2022-41128
Security Update Guide
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV220003 | Microsoft Defense in Depth Update (Published:11/08/2022)
Reason: Microsoft has released an update for Microsoft Office that provides enhanced security as a defense in depth measure. This update provides hardening around IRM-protected documents to ensure the trust-of-certificate chain.
Office 2013 (KB3191875)
Office 2016 (KB3191869)
A couple known issues are listed below affecting all Windows systems and Windows 11 22H2.
“May prevent domain join operations”
KB5020276—Netjoin: Domain join hardening changes
Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:
1) The user attempting the operation is the creator of the existing account.
2) The computer was created by a member of domain administrators.
Symptom: After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.
Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain.
For more information about this issue, see KB5020276—Netjoin: Domain join hardening changes.
Note Consumer Desktop editions of Windows are unlikely to experience this issue.
Status: We have added guidance to KB5020276 and are evaluating whether optimizations can be made in a future Windows Update. This guidance will be updated as soon as those changes are released.
“Copying large multiple gigabyte (GB) files”
Windows 11 version 22H2, all editions
Symptom: Copying large multiple gigabyte (GB) files might take longer than expected to finish on Windows 11, version 22H2. You are more likely to experience this issue copying files to Windows 11, version 22H2 from a network share via Server Message Block (SMB) but local file copy might also be affected. Windows devices used by consumers in their home or small offices are not likely to be affected by this issue.
Workaround: To mitigate this issue, you can use file copy tools that do not use cache manager (buffered I/O). This can be done by using the built-in command-line tools listed below:
robocopy \\someserver\someshare c:\somefolder somefile.img /J
xcopy \\someserver\someshare c:\somefolder /J
Status: We are working on a resolution and will provide an update in an upcoming release.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5020000 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5020023 – Windows 8.1, Windows Server 2012 R2
- KB5020009 – Windows Server 2012
- KB5020019 – Windows Server 2008 (ESU)
Security Only Update
- KB5020013 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5020010 – Windows 8.1, Windows Server 2012 R2
- KB5020003 – Windows Server 2012
- KB5020005 – Windows Server 2008 (ESU)
- KB5019970 – Original release version 1507 (OS Build 10240)
- KB5019964 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5019966 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5019959 – Version 20H2 “October 2020 Update” (OS Build 19042)
- KB5019959 – Version 21H1 “May 2021 Update” (OS Build 19043)
- KB5019959 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5019959 – Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)
- KB5019961 – 21H2 (OS Build 22000) Original release
- KB5019980 – 22H2 (OS Build 22621)
- KB5019964 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5019966 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5019081 – Server 2022 (OS Build 20348)
November 2022 updates for Microsoft Office
CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.”
CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges.”
CVE-2022-38042 | Active Directory Domain Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An attacker who successfully exploited this vulnerability could gain domain administrator privileges.”
CVE-2022-41082 | Microsoft Exchange Server Remote Code Execution Vulnerability (KB5019758)
“The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.”
CVE-2022-41040 | Microsoft Exchange Server Elevation of Privilege Vulnerability (KB5019758)
“The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system.”
CVE-2022-41128 | Windows Scripting Languages Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
“This vulnerability impacts the JScript9 scripting language.”
CVE-2022-41091 | Windows Mark of the Web Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”
CVE-2022-41073 | Windows Print Spooler Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-41125 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”