June 2022 Patch Tuesday wrapped up a few loose ends we were waiting on. The Follina remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) was fixed.
Internet Explorer came to a quiet end in most versions of the Windows 10 operating system. And finally, the Phase 2 update for CVE-2021-26414, the DCOM server security feature bypass was released. With those major updates now in place, could we see a summertime lull in the July 2022 Patch Tuesday updates?
Before we get to the forecast, there was a bit of excitement earlier this week when Google released a Chrome zero-day update – their fourth of the year. Chrome 103.0.5060.114 was released for the Stable Desktop Channel addressing CVE-2022-2294 which is a buffer overflow vulnerability. Because this is known to be exploited in the wild, Google provided few details on the vulnerability allowing time for the update to be distributed and installed.
While on the topic of limited disclosure, there was a report that Microsoft quietly released a fix for an NTLM relay vulnerability as part of the June updates. Per the article, an attack could be conducted resulting in a device impersonating a domain controller, which can gain elevated privileges that can be used to take over the Windows domain. There was concern regarding Microsoft’s transparency on not reporting the vulnerability, nor the fix itself. We’ll see if there is more information released in the July 2022 Patch Tuesday.
There seems to be a lot of confusion surrounding the end-of-support and retirement of Internet Explorer last month. Many expected it to be disabled or uninstalled from those systems which are no longer supported. Microsoft is reserving those options for a future cumulative update on those operating systems, but in the meantime opening IE 11 will display an EOL message and direct the user to a Microsoft Edge download. As announced, Microsoft recommends using IE mode in the Edge browser if you really need it for application compatibility.
We saw a rare SQL server update last Patch Tuesday and I don’t anticipate another this month. Just a reminder that Microsoft SQL Server 2012 reaches EOL July 12. Microsoft will be providing extended security updates (ESU) for three years starting next month, but if you are looking to move to a fully supported SQL version you need to jump to SQL Server 2019. This Patch Tuesday will see the final ESU update for SQL Server 2008 R2, but I’m hoping that won’t impact many of you.
July 2022 Patch Tuesday forecast
- We saw a much smaller number of CVEs addressed last month and I expect that trend to continue in July. Expect the standards updates for Windows 10, 11, and the legacy operating systems. Only a handful of Office applications were updated last month so I anticipate a full suite of Office updates.
- No pre-notifications have been made so far, but Adobe Acrobat and Reader were last updated in April so a major one should surface soon.
- We’re overdue for a Monterey security update with the last coming back in May, but Apple does not release on a standard schedule.
- Google released their zero-day updates as I mentioned. Anticipate a quiet week from them for Patch Tuesday.
- Mozilla released security updates for their applications the last week of June. Firefox 102, Firefox ESR 91.11 and Thunderbird 102 were all updated. I would expect a minor update next week, if any, for these applications.
With the exception of maybe some major Adobe updates for Acrobat and Reader next week, it should be a fairly quiet July Patch Tuesday with just some standard releases from Microsoft. Enjoy the lull in the action.