April Patch 2022 Tuesday Forecast: Spring is in the Air (and Vulnerable)

The March Patch Tuesday releases followed February’s footsteps with a low number of CVEs reported and resolved, and all updates deemed important except for a critical update for Microsoft Exchange Server. Could April Patch Tuesday deliver the deluge of critical updates we’ve been waiting for last month?

Security improvements for Windows 11

Microsoft has clearly been busy working on security improvements in several areas. Earlier this week they announcement a comprehensive set of security enhancements for Windows 11, providing protection for what they call “chip to cloud”. These new features and enhancements take advantage of hardware assistance from the new chip-level Pluto security processor to cloud protection through Windows Defender SmartScreen to prevent phishing and malware injection from sites Malicious webs.

Other security features covered include default Credential Guard, Config Lock, Personal Data Protection, and Hypervisor-Protected Code Integrity (HVCI) enhancements. Microsoft also announced its next Autocorrect Service for Windows Enterprise E3 customers. Based on reviews from several sites, there is concern as to who really needs it, so we’ll see how it goes when it becomes available.

Spring4Shell

There were a lot of hot vulnerabilities this month, with CVE-2022-22965, also known as Spring4Shell or SpringShell, in Spring Framework being the hottest. Spring Framework is a Java platform used to support the development of Java applications.

The latest reports show that while many platforms may contain this vulnerability, only a small percentage is open for exploitation due to a specific environmental setup. Either way, like Log4j, you need to scan your systems and update to the latest version to get the fix in place.

Apple and VMware

Apple announcement two zero-day vulnerabilities, CVE-2022-22675 and CVE-2022-22674, and provided iOS 15 and Monterey updates. We are still waiting for updates for Catalina and Big Sur.

And one last noteworthy notification came from VMware in VMSA-2022-011. These eight vulnerabilities impacted several versions of five different products, including VMware Workspace ONE Access. Five of the vulnerabilities are rated critical and have CVSS scores of 9.1 to 9.8. Unlike the Spring and Apple vulnerabilities, these eight vulnerabilities have not been reported to be exploited in the wild. If you didn’t track all actions in March and early April, plan to identify and include applicable updates for these products in your Patch Tuesday rollout.

CISA Catalog

I will mention again this month that the US Cyber ​​and Infrastructure Security Agency continues its aggressive response to increased Russian activity by adding known exploited vulnerabilities at regular intervals. There are now 616 entries in their catalog. While it is mandatory for government agencies to address vulnerabilities within the stated timeframe, this catalog is a good starting point for anyone looking for high-priority vulnerabilities to identify and fix in their systems.

April 2022 Patch Tuesday Predictions

  • Expect more critical updates this month; I don’t see the trend of the important only ones continuing. OS updates will include Extended Security Updates (ESU) for Windows 7 and Server 2008. Hope you are working on migrating to a newer OS as they end in January . Microsoft Office and Exchange Server will see some minor updates.
  • Adobe is slated for a major update to Acrobat and Reader, but there has been no prior announcement yet.
  • The zero-day version for iOS 15 and Monterey has been released, so be on the lookout for similar updates for Catalina and Big Sur soon.
  • Google on Wednesday released the 96.0.4664.204 long-term support channel for ChromeOS devices containing three high-level vulnerabilities. The stable channel update for Desktop 100.0.4896.75 for Windows, Mac, and Linux was released on Monday. This update includes a single security patch rated High.
  • Mozilla released updates for Firefox 99, Firefox ESR 91.8 and Thunderbird 91.8 on Wednesday. Don’t expect any new updates next week.

Don’t forget that Oracle’s Critical Product Update (CPU) is coming next week on April 19th. With all this Java-related activity from Log4j and Spring, we can see a lot of CVEs in this release.

Comments are closed.