Patch Tuesday Webinar
Wednesday, October 12, 2022
Hosted by Chris Goettl and Todd Schell

Agenda
October 2022 Patch Tuesday Overview
In the News
Bulletins and Releases
Between Patch Tuesdays
Q & A

Overview

Copyright © 2022 Ivanti. All rights reserved.
October Patch Tuesday 2022
October is Cybersecurity Awareness month. In this month’s blog we will be sharing not only the details of the Patch
Tuesday release, but also some great cybersecurity tips! Check out the blog to find more details on Microsoft's Zero-day
fix, Adobe's security updates and EoL announcement, as well as details on the upcoming Oracle CPU and what that will
mean later this month.

In the News

Copyright © 2022 Ivanti. All rights reserved.
In the News
 Exchange (ProxyNotShell) Zero-Day Vulnerabilities still unpatched
 https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-days-exchange-server-
exploit-chain-remains-unpatched
 https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-
deploy-lockbit-ransomware/
 https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-
vulnerabilities-in-microsoft-exchange-server
 Fortinet Zero-Day vulnerability exploited in attack
 https://www.securityweek.com/fortinet-confirms-zero-day-vulnerability-exploited-one-attack
 Oracle Critical Patch Updates (CPU)
 18 October
 https://www.oracle.com/security-alerts/

Copyright © 2022 Ivanti. All rights reserved.
Exchange Zero-Day Details:
 CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability
 CVSS 3.1 Scores:
 Severity: Not yet rated
 Exchange Server 2013 CU 23, 2016 CU 22 & 23, 2019 CU 11 & 12
 CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability
 CVSS 3.1 Scores:
 Severity: Not yet rated
 Exchange Server 2013 CU 23, 2016 CU 22 & 23, 2019 CU 11 & 12
 Subject to the ProxyNotShell attack
 Mitigation published
 https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-
microsoft-exchange-server/
 Microsoft is working on a resolution

Copyright © 2022 Ivanti. All rights reserved.
Known Exploited Vulnerability
 CVE-2022-41033 Windows COM+ Event System Service Elevation of
Privilege Vulnerability
 CVSS 3.1 Scores: 7.8 / 6.8
 Severity: Important
 Impacts all Windows workstation and server operating systems
 An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Copyright © 2022 Ivanti. All rights reserved.
Publicly Disclosed Vulnerabilities
 CVE-2022-30134 Microsoft Exchange Information Disclosure Vulnerability
 CVSS 3.1 Scores: 6.5 / 5.7
 Severity: Important
 Exchange Server 2013 CU 23, 2016 CU 22 & 23, 2019 CU 11 & 12
 Re-issue from August 2022
 CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability
 CVSS 3.1 Scores: 3.3 / 2.9
 Severity: Important
 Office 2019 for Mac and Office LTSC for Mac 2021

Copyright © 2022 Ivanti. All rights reserved.
Adobe Acrobat and Reader 2017 Classic EoL:
 End of Support for Adobe Acrobat 2017 Classic and Acrobat Reader 2017 Classic
 https://helpx.adobe.com/acrobat/kb/end-of-support-acrobat-2017-reader-2017.html
 Adobe Recommendation: Adobe strongly recommends that you update to the latest
versions of Adobe Acrobat and Acrobat Reader. By updating installations to the latest
versions, you benefit from the latest functional enhancements and improved security
measures.
 Risk of EoL software:
 https://www.cisostreet.com/end-of-life-software-risks-dangers-and-what-to-do-next/
 Operational risk and business interruption
 Security risks
 Compliance Risk

Copyright © 2022 Ivanti. All rights reserved.
Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates (SSU)
 https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV990001
 Windows 8.1/Server 2012 R2
 Azure and Development Tool Updates
 .NET Core 3.1
 .NET 6.0
 Azure Arc-enabled Kubernetes (multiple)
 Azure Stack Edge
 Azure StorSimple 8000 Series
 Jupyter Extension for VS Code
 Visual Studio 2019 (multiple)
 Visual Studio 2022 (multiple)
 Visual Studio Code
Source: Microsoft

Copyright © 2022 Ivanti. All rights reserved.
Basic Authentication Deprecation in Exchange Online
 Service was disabled October 1
 https://techcommunity.microsoft.com/t5/exchange-team-
blog/basic-authentication-deprecation-in-exchange-online-
september/ba-p/3609437
 First announcement 3 years ago
 Basic authentication subject to man-in-the-middle attacks
 3-month waiver for single service available from Microsoft
 Fully disabled in January 2023

Copyright © 2022 Ivanti. All rights reserved.
Server 2012/2012 R2 EOL is Coming
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2
Source: Microsoft

Copyright © 2022 Ivanti. All rights reserved.
Windows 10 and 11 Lifecycle Awareness
Windows 10 Enterprise and Education
Version Release Date End of Support Date
21H2 11/16/2021 6/11/2024
21H1 5/18/2021 12/13/2022
20H2 10/20/2020 5/9/2023
Windows 10 Home and Pro
Version Release Date End of Support Date
21H2 11/16/2021 6/13/2023
21H1 5/18/2021 12/13/2022
Windows Datacenter and Standard Server
Version Release Date End of Support Date
2019 11/13/2019 1/9/2024
2022 8/18/2021 10/13/2026
Windows 11 Home and Pro
Version Release Date End of Support Date
21H2 10/4/2021 10/10/2023
22H2 9/20/2022 10/8/2024
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/faq/windows

Copyright © 2022 Ivanti. All rights reserved.
Patch Content Announcements
 Announcements Posted on Community Forum Pages
 https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
 Subscribe to receive email for the desired product(s)

Bulletins and Releases

Copyright © 2022 Ivanti. All rights reserved.
APSB22-46: Security Update for Adobe Acrobat and Reader
 Maximum Severity: Critical
 Affected Products: Adobe Acrobat and Reader (all current versions)
 Description: Adobe has released security updates for Adobe Acrobat and Reader for
Windows and macOS. These updates address 2 Critical and 4 Important
vulnerabilities. See https://helpx.adobe.com/security/products/acrobat/apsb22-46.html
for complete details.
 Impact: Remote Code Execution, Denial of Service and Information Disclosure
 Fixes 6 Vulnerabilities: See link to Adobe bulletin
 Restart Required: Requires application restart

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-W11: Windows 11 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 11 Version 21H2, 22H2, and Edge
Chromium
 Description: This bulletin references KB 5018418 (21H2) and KB 5018427 (22H2).
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, Elevation of Privilege and Information Disclosure
 Fixes 66 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slide

Copyright © 2022 Ivanti. All rights reserved.
October Known Issues for Windows 11
 KB 5018418 – Windows 11 version 21H2
 [File Copy Fail] After installing this update, file copies using Group Policy Preferences
might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected
Group Policy Objects are related to files and shortcuts in User Configuration >
Preferences > Windows Settings in Group Policy Editor. Workaround: See KB for
multiple mitigations. Microsoft is working on a resolution.
 KB 5018427 – Windows 11 version 22H2
 [Provision] Using provisioning packages on Windows 11, version 22H2 (also called
Windows 11 2022 Update) might not work as expected. Windows might only be
partially configured, and the Out Of Box Experience might not finish or might restart
unexpectedly. Workaround: Provision before updating to 22H2. Microsoft is working
on a resolution.
 [Slow Copy] Copying large multiple gigabyte (GB) files might take longer than
expected to finish on Windows 11, version 22H2. Workaround: Use file copy tools
that do not use cache manager (buffered I/O). See KB for multiple mitigations.
Microsoft is working on a resolution.

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-W10: Windows 10 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 10 Versions 1607, 1809, 20H2, 21H1, 21H2,
Server 2016, Server 2019, Server 2022 and Edge Chromium
 Description: This bulletin references 5 KB articles. See KBs for the list of changes.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, Elevation of Privilege and Information Disclosure
 Fixes 67 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slide

Copyright © 2022 Ivanti. All rights reserved.
October Known Issues for Windows 10
 KB 5018419 – Windows 10 Enterprise 2019 LTSC, Windows 10 IoT
Enterprise 2019 LTSC, Windows 10 IoT Core 2019 LTSC, Windows
Server 2019
 [Cluster Update] After installing KB 5001342 or later, the Cluster Service might fail
to start because a Cluster Network Driver is not found. Workaround: This issue
occurs because of an update to the PnP class drivers used by this service. After
about 20 minutes, you should be able to restart your device and not encounter this
issue. For more information about the specific errors, cause, and workaround for
this issue, please see KB 5003571.

Copyright © 2022 Ivanti. All rights reserved.
October Known Issues for Windows 10 (cont)
 KB 5017308 –Windows 10 version 20H2, Windows Server version 20H2,
Windows 10 version 21H1 all editions, Windows 10, version 21H2 all
editions
 [Edge Removed] Devices with Windows installations created from custom offline
media or custom ISO image might have Microsoft Edge Legacy removed by this
update, but not automatically replaced by the new Microsoft Edge. Devices that
connect directly to Windows Update to receive updates are not affected.
Workaround: Slipstream the SSU released March 29, 2021 or later into the custom
offline media or ISO image before slipstreaming the LCU. Or install Microsoft Edge
if you have encountered affected media. See KB for details.
 [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-MR2K8-ESU: Monthly Rollup for Windows Server 2008
 Maximum Severity: Critical
 Affected Products: Microsoft Windows Server 2008 and IE 9
 Description: This cumulative security update contains improvements that are part of
update KB 5017358 (released September 13, 2022). Bulletin is based on KB 5018450.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, Elevation of Privilege and Information Disclosure
 Fixes 37 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-SO2K8-ESU: Security-only Update for Windows Server 2008
 Maximum Severity: Critical
 Affected Products: Microsoft Windows Server 2008
 Description: Bulletin is based on KB 5018446.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, Elevation of Privilege and Information Disclosure
 Fixes 37 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-MR7-ESU: Monthly Rollup for Win 7
MS22-10-MR2K8R2-ESU Monthly Rollup for Server 2008 R2
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 7, Server 2008 R2, and IE 11
 Description: This cumulative security update contains improvements that are part of update
KB 5017361 (released September 13, 2022). Bulletin is based on KB 5018454.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing,
Elevation of Privilege and Information Disclosure
 Fixes 44 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security Update
Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-SO7-ESU: Security-only Update for Win 7
MS22-10-SO2K8R2-ESU: Security-only Update for Server 2008 R2
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 7 and Server 2008 R2
 Description: Bulletin is based on KB 5018479.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing,
Elevation of Privilege and Information Disclosure
 Fixes 44 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-MR8: Monthly Rollup for Server 2012
 Maximum Severity: Critical
 Affected Products: Microsoft Windows Server 2012 and IE
 Description: This cumulative security update contains improvements that are part of update
KB 5017370 (released September 13, 2022). Bulletin is based on KB 5018457.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing,
Elevation of Privilege and Information Disclosure
 Fixes 49 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security Update
Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-SO8: Security-only Update for Windows Server 2012
 Maximum Severity: Critical
 Affected Products: Microsoft Windows Server 2012
 Description: Bulletin is based on KB 5018478.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, Elevation of Privilege and Information Disclosure
 Fixes 49 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security
Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
 Description: This cumulative security update includes improvements that are part of update
KB 5017367 (released September 13, 2022). Bulletin is based on KB 5018474.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing,
Elevation of Privilege and Information Disclosure
 Fixes 50 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security Update
Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]
NOTE: Microsoft displays a dialog box to remind users about the EOS for Windows 8.1 in January 2023.

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-SO81: Security-only Update for Win 8.1 and Server 2012 R2
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 8.1, Server 2012 R2
 Description: Bulletin is based on KB 5018476.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing,
Elevation of Privilege and Information Disclosure
 Fixes 50 Vulnerabilities: CVE-2022-41033 is known exploited. See the Security Update
Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: [File Copy Fail]
NOTE: Microsoft displays a dialog box to remind users about the EOS for Windows 8.1 in January 2023.

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-OFF: Security Updates for Microsoft Office
 Maximum Severity: Critical
 Affected Products: Office 2013 and 2016, Office 2019 for Mac, and Office 2021
LTSC for Mac
 Description: This security update resolves Microsoft Office remote code execution
and information disclosure vulnerabilities. Consult the Security Update Guide for
specific details on each. This bulletin references 3 KB articles and release notes.
 Impact: Remote Code Execution and Information Disclosure
 Fixes 3 Vulnerabilities: CVE-2022-41043 is publicly disclosed. CVE-2022-38048
and CVE-2022-41031 are fixed in this release.
 Restart Required: Requires application restart
 Known Issues: None reported

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-O365: Security Updates Microsoft 365 Apps, Office 2019
and Office LTSC 2021
 Maximum Severity: Critical
 Affected Products: Microsoft 365 Apps, Office 2019 and Office LTSC 2021
 Description: This month’s update resolved various bugs and performance issues in
Office applications. Information on the security updates is available at
https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates.
 Impact: Remote Code Execution and Spoofing
 Fixes 4 Vulnerabilities: No vulnerabilities are publicly disclosed or known
exploited. CVE-2022-38001, CVE-2022-38048, CVE-2022-38049 and CVE-2022-
41031 are fixed in this release.
 Restart Required: Requires application restart
 Known Issues: None reported

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-SPT: Security Updates for SharePoint Server
 Maximum Severity: Critical
 Affected Products: Microsoft SharePoint Server Subscription Edition, Microsoft
SharePoint Foundation Server 2013, SharePoint Enterprise Server 2013, SharePoint
Enterprise Server 2016, and SharePoint Server 2019
 Description: This security update resolves a series of 4 Microsoft SharePoint Server
remote code execution vulnerabilities. There are multiple non-security issues resolved
as well. Check KB for each version for details. This bulletin is based on 6 KB articles.
 Impact: Remote Code Execution
 Fixes 4 Vulnerabilities: No vulnerabilities are publicly disclosed or known
exploited. CVE-2022-38053, CVE-2022-41036, CVE-2022-41037, and CVE-2022-
41038 are fixed in this release.
 Restart Required: Requires restart
 Known Issues: See next slide

Copyright © 2022 Ivanti. All rights reserved.
October Known Issues for SharePoint Server
 SharePoint Server – Check specific KBs for details
 [Workflow] This update might affect some SharePoint 2010 workflow scenarios. It also
generates "6ksbk" event tags in SharePoint Unified Logging System (ULS) logs. For
more information, see SharePoint 2010 workflows might be blocked by enhanced
security policy (KB 5020238).

Copyright © 2022 Ivanti. All rights reserved.
MS22-10-EXCH: Security Updates for Exchange Server
 Maximum Severity: Critical
 Affected Products: Microsoft Exchange Server 2013 CU23, Exchange
Server 2016 CU22 & CU23, and Exchange Server 2019 CU11 & CU12.
 Description: This security update fixes vulnerabilities as well as some non-
security issues in Microsoft Exchange. This bulletin is based on KB 5019076
and KB 5019077.
 Impact: Elevation of Privilege and Information Disclosure
 Fixes 6 Vulnerabilities: CVE-2022-30134 is publicly disclosed. See the
Security Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: None reported

Between Patch Tuesdays

Copyright © 2022 Ivanti. All rights reserved.
Release Summary
 Security Updates (with CVEs): Google Chrome (2), Firefox (1), Firefox ESR (1), Node.JS (Current)
(1), Node.JS (LTS Lower) (1), Node.JS (LTS Upper) (1), SeaMonkey (1), Thunderbird (1)
 Security (w/o CVEs): Audacity (2), CCleaner (1), Google Chrome (1), ClickShare App Machine-Wide
Installer (1), Falcon Sensor for Windows (1), Citrix Workspace App (1), Dropbox (3), Evernote (2), Firefox (2),
FileZilla Client (1), GoodSync (3), GIT for Windows (1), LibreOffice (1), LogMeIn (1), Node.JS (Current) (1),
Notepad++ (1), Opera (2), Plex Media Server (1), Royal TS (2), Slack Machine-Wide Installer (2), Snagit (1),
Tableau Desktop (6), Tableau Prep Builder (1)Tableau Reader (1)Thunderbird (2), TortoiseSVN (2), WinSCP
(1), Zoom Client (1), Zoom VDI (1)
 Non-Security Updates: 8x8 Work Desktop (1), Amazon WorkSpaces (1), Bandicut (2), Box Sync (1),
Camtasia (2), Google Drive File Stream (2), GeoGebra Classic (1), BlueJeans (1), PDF-Xchange PRO (1),
RingCentral App (Machine-Wide Installer) (1), Rocket.Chat Desktop Client (2), RealVNC Server (1),
ScreenPresso (2), TreeSize Free (2), RealVNC Viewer (1)

Copyright © 2022 Ivanti. All rights reserved.
Third Party CVE Information
 Google Chrome 106.0.5249.62
 CHROME-220927, QGC1060524962
 Fixes 16 Vulnerabilities: CVE-2022-3201, CVE-2022-3304, CVE-2022-3305, CVE-
2022-3306, CVE-2022-3307, CVE-2022-3308, CVE-2022-3309, CVE-2022-3310,
CVE-2022-3311, CVE-2022-3312, CVE-2022-3313, CVE-2022-3314, CVE-2022-
3315, CVE-2022-3316, CVE-2022-3317, CVE-2022-3318
 Google Chrome 105.0.5195.91
 CHROME-220930, QGC1050519591
 Fixes 2 Vulnerabilities: CVE-2022-3370, CVE-2022-3373
 Firefox 105.0
 FF-220920, QFF1050
 Fixes 6 Vulnerabilities: CVE-2022-40956, CVE-2022-40957, CVE-2022-40958, CVE-
2022-40959, CVE-2022-40960, CVE-2022-40962

Copyright © 2022 Ivanti. All rights reserved.
Third Party CVE Information (cont)
 Firefox ESR 102.3.0
 FFE-220920, QFFE10230
 Fixes 6 Vulnerabilities: CVE-2022-40956, CVE-2022-40957, CVE-2022-40958, CVE-2022-
40959, CVE-2022-40960, CVE-2022-40962
 SeaMonkey 2.53.14
 SM-220929, QSM25314
 Fixes 10 Vulnerabilities: CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-
11713, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11729, CVE-
2019-11730, CVE-2019-9811
 Thunderbird 102.3.1
 TB-220929, QTB10231
 Fixes 4 Vulnerabilities: CVE-2022-39236, CVE-2022-39249, CVE-2022-39250, CVE-2022-
39251

Copyright © 2022 Ivanti. All rights reserved.
Third Party CVE Information (cont)
 Node.JS 18.9.1 (Current)
 NOJSC-220926, QNODEJSC1891
 Fixes 6 Vulnerabilities: CVE-2022-32212, CVE-2022-32213, CVE-2022-32215, CVE-2022-
32222, CVE-2022-35255, CVE-2022-35256
 Node.JS 14.20.1 (LTS Lower)
 NOJSLL-220926, QNODEJSLL14201
 Fixes 3 Vulnerabilities: CVE-2022-32212, CVE-2022-32213, CVE-2022-35256
 Node.JS 16.17.1 (LTS Upper)
 NOJSLU-220926, QNODEJSLU16171
 Fixes 4 Vulnerabilities: CVE-2022-32212, CVE-2022-32213, CVE-2022-35255, CVE-2022-
35256

Q & A

Copyright © 2022 Ivanti. All rights reserved.
Thank You!