Microsoft Office
Microsoft released an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (both 32- and 64-bit) relating to VBA projects and Microsoft Access. This month's release cycle delivers only four updates, all rated important. Microsoft Excel, Outlook and a few core Microsoft Office libraries are affected, with the most serious leading to remote code execution scenarios. Fortunately, all of these security issues have official fixes from Microsoft and are all relatively difficult to exploit, particularly in a well-managed enterprise environment. Add these low-profile updates to your standard release schedule.
Microsoft Exchange Server
Unfortunately we have six updates for Microsoft Exchange Server, with three rated critical and the remaining three rated important. As promised in May, Microsoft has updated its patching process to include self-extracting EXE's. You will not find these latest updates in the Microsoft catalog, so I have included a list of updates available for the following specific builds of Exchange Server:
Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which allows an attacker to read targeted email messages, Microsoft has recommended you apply these security related fixes immediately (italics added by Microsoft). To get the latest updates, you may also have to run the Exchange SetupAssist PowerShell script.
Your organization may already be comfortable with the new update format, but if you are in doubt about the status of your Exchange servers, you can run the Microsoft CSS Health Checker. My feeling is that some preparation and planning is required to stage these updates. It took me a while just to walk through the patching decision/logic trees this month, never mind troubleshooting failed Exchange updates. Add this month's updates to your "Patch Now" schedule, noting that all updates this month will require a server reboot.
Microsoft development platforms
Microsoft released five updates rated as important for Visual Studio and .NET Core. The .NET vulnerability (CVE-2022-34716) is really tough to exploit and depends upon successfully executing a technically challenging blind "external entity" injection (XXE) attack. The remaining Visual Studio vulnerabilities relate to remote code execution (RCE) scenarios exploited through a local email client (requiring the user to open a specially crafted file). Add these updates to your standard developer update schedule.
Adobe (really just Reader)
Who would have thought it? We are back this August with three updates rated critical and four as important for Adobe Reader. APSB22-39 has been published by Adobe but not included by Microsoft in this month's patch cycle. All seven reported vulnerabilities relate to memory leak issues and could lead to a remote code execution scenario (RCE), requiring immediate attention. Add these Adobe updates to your "Patch Now" schedule.