This is a relatively light Patch Tuesday update from Microsoft, though wo significant vulnerabilities in the Windows platform (CVE-2021-38631 and CVE-2021-41371), both relating to Remote Desktop Protocol handling, have been disclosed and are lending some urgency to applying Windows updates. And we have another technically challenging update to Microsoft Exchange Server to manage as well.

Pay close attention to the Servicing Stack Updates (SSU) this month, as it may affect how your applications install (with particular focus on the un-installation process). Microsoft has already said there will not be a C patch cycle release next month, which means the December Patch Tuesday release should be light. You can find more information about the risk of deploying these Patch Tuesday updates with this infographic.

There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature:

The biggest issue (or engineering task) this month is the need to validate that your applications install, repair, update, and uninstall correctly. Check your Windows Installer logs (0's for success). I think this is a big job as we commonly focus on application installations; this time we have to look at how applications are uninstalled. Once an application has been uninstalled, the target machine should be clean, error logs empty, and no applications broken. Getting this right will allow for the next MSI Installer update to run smoothly.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:

After installing this month's Microsoft update, connecting to devices in an untrusted domain using Remote Desktop might fail to authenticate when using smart card authentication. You might receive the prompt "Your credentials did not work." This issue is resolved using Known Issue Rollback (KIR) — which is kind of exciting. Microsoft now allows for policy-driven execution paths of managed code. In case you encounter issues, you can roll back the execution path of the affected files, putting that piece of code back to a "pre-patch" state. To do this successfully, you need to make sure you have the correct policy files for your platform. You can find the relevant policy files for each Windows version here:

One of the best ways to see whether there are known issues that affect your target platform is to check out the many configuration options for downloading patch data at the Microsoft Security Update guidance site or the summary page for this month's security update. 

No major revisions (or even documentation updates) this month.

As of Nov. 12, Microsoft has not published any mitigations or workarounds relating to this month's update cycle.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browsers

Microsoft has released a single important update to Microsoft Edge. At its core, this patch is a Chromium code update, but it affects how Edge's IE mode operates. The potential enterprise impact of this update is marginal, so add this relatively straightforward update to your regular release schedule.

Windows

The Microsoft Windows platform received 28 updates, with three rated as critical and the remaining patches rated as important. The biggest concern are the two publicly reported Remote Desktop Protocol (RDP) issues (CVE-2021-38631 and CVE-2021-41371). Microsoft has been working on the RDP protocol extensively for the past year with significant updates released with each Patch Tuesday. I have always had my doubts about RDP, though Microsoft offers some guidance and tools to secure your remote desktops. Given the recent supply chain problems, and the lack of fully integrated RDP alternatives, I think patching early and often is our best option. Add these updates to your Windows "Patch Now" schedule.

Microsoft Office

Microsoft released four updates, all of them rated as important. Affecting Access, Word, and Excel, these vulnerabilities require both local access to the target system and user interaction. Unfortunately, one Excel related issue (CVE-2021-42292) has been reported as exploited (though registered by Microsoft as proof-of-concept). Though these Office related security issues are not "wormable," a publicly reported exploitation of a remote code execution vulnerability raises the risk significantly for enterprise customers. Add these updates to your "Patch Now" release schedule.

Microsoft Exchange Server

Microsoft released three important updates (CVE-2021-1349, CVE-2021-42305, CVE-2021-42321) for Exchange Server this month. All three updates link back to a single Knowledge Base (KB) article,  KB5007049. These updates will require a server reboot and there is a distinct probability that this may cause an installation failure or break the Exchange Server ("break" as in no remote login). There are a number of known issues with this update relating to manual installs and UAC issues. Thoroughly test this update before any production deployments.

Microsoft development platforms

This month's update is a little more interesting than usual. We have two updates (both rated as important) to Visual Studio that could lead to elevation-of-privilege scenarios. And unusually, Microsoft has added an Open Source project vulnerability from August to this month's November update. The critical rated issue in the OpenSSL cryptography framework (CVE-2021-3711) is consumed by Microsoft Visual Studio and therefore was considered a significant risk to Visual Studio users. This is a great call by Microsoft and really demonstrates its commitment to these types of open-source projects. Add these updates to your regular developer roll-out schedule.

Adobe (really just Reader)

This month, Adobe has released three lower rated issues affecting their RoboHelp (APSB21-87), InCopy (APSB21-110) and Creative Cloud desktop (APSB21-111) applications. Though there are no updates to Adobe Reader, we highly recommend that you test out printing your PDF's due to the changes in the Windows printing system. In addition, you may need to check that the auto-update feature is still working in Adobe Reader once this month's update has been installed.