Microsoft launched 59 updates in its September Patch Tuesday launch, with essential patches for Microsoft Office and Visual Studio, and continued the development of together with non-Microsoft purposes in its replace cycle. (Notepad++ is a notable addition, with Autodesk returning with a revised bulletin.) We’ve made “Patch Now” suggestions for Microsoft improvement platforms (Visual Studio) and Microsoft Word.Unfortunately, updates for Microsoft Exchange Server have additionally returned, requiring server reboots this time, too.The workforce at Readiness has created this infographic outlining the dangers related to every of the September updates.Known pointsEach month, Microsoft features a checklist of identified points that relate to the working system and platforms included within the newest replace cycle:
After putting in this replace on visitor digital machines (VMs) working Windows Server 2022 on some variations of VMware ESXi, Windows Server 2022 won’t begin up. VMWare has revealed an article (KB90947) on how you can resolve the difficulty.
New safety enhancements in SharePoint Server (2019) may forestall customized .aspx recordsdata from being displayed below sure circumstances. Browsing to such a web page generates a “92liq” occasion tag in SharePoint Unified Logging System (ULS) logs.
Major revisionsMicrosoft revealed the next main revisions this month:
CVE-2023-41303: Use-after-free vulnerability in Autodesk® FBX® SDK 2020. This is an info replace (be aware that this third-party utility replace doesn’t have an up to date launch log — naughty Microsoft). No additional motion required.
CVE-2023-20569 Return Address Predictor. The affected merchandise desk has been up to date to incorporate Azure Virtual Machines, as prospects who use customized upkeep controls are affected by CVE-2023-20569 and are required to take motion to guard their sources.
CVE-2023-21709, CVE-2023-35368, CVE-2023-35388, CVE-2023-38185, CVE-2023-38181 and CVE-2023-38182: Microsoft Exchange Server Elevation of Privilege Vulnerability. The identified concern affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends putting in the up to date packages as quickly as potential.
And it appears to be like as if Microsoft “missed” a CVE final month — CVE-2023-36769 for OneNote, which has now been up to date and included on this month’s updates. Mitigations and workaroundsMicrosoft revealed the next vulnerability associated mitigations for this launch cycle:
CVE-2023-38162, CVE-2023-38152, CVE-2023-36081: DHCP Server Service Information Disclosure Vulnerability. Microsoft helpfully notes that if in case you have not enabled DHCP in your servers, you are not uncovered to this vulnerability.
CVE-2023-38148: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. Similarly, if in case you have not enabled this characteristic, you are not uncovered.
Testing steerage Each month, the Readiness workforce analyzes the most recent Patch Tuesday updates and supplies detailed, actionable testing steerage. This steerage is predicated on assessing a big utility portfolio and an in depth evaluation of the patches and their potential influence on Windows and on utility installations. Given the massive variety of system-level adjustments on this patch cycle, I’ve damaged down the testing eventualities into commonplace and high-risk profiles.High threatMicrosoft made a serious announcement this month a few vital change to how third-party printer drivers are dealt with,”With the release of Windows 10 21H2, Windows offers inbox support for Mopria compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver. This removes the need for print device manufacturers to provide their own installers, drivers, utilities.”With this announcement, Microsoft additionally revealed an finish to servicing legacy (V3 and V4) Windows printer drivers and gives the next help timeline.
September 2023: Announce legacy third-party printer driver for Windows finish of servicing plan.
September 2025: No new printer drivers might be revealed to Windows Update.
2026: Printer driver rating order modified to all the time favor Windows IPP inbox class driver.
2027: Except for security-related fixes, third-party printer driver updates will not be allowed.
The assumption right here is that each one Windows printing suppliers will subscribe to the Mopria (an affiliation of printer and scanner producers that produce common requirements and options for scan and print) commonplace. This is smart and can hopefully cut back the assault floor of printer drivers which have prompted a lot hassle through the years.Due to this alteration in printer dealing with, the next assessments are steered:
Test all of your printers — along with your full manufacturing testing regime (sorry about this).
Enable totally different superior printer options (e.g., watermarking) and run printing assessments.
Test your printing over RDP and VPN connections.
Install/replace/uninstall key printing software program.
Standard threatThe following adjustments haven’t been raised as excessive threat (of surprising outcomes) and don’t embody useful adjustments.
Test your safety restrictions/sandbox when utilizing Microsoft Intune and Windows Defender Application management (WDAC). Applications ought to set up and uninstall as anticipated.
Ensure profitable “CRUD” assessments full in your Windows error logs. This ought to embody Create, Read, Update and Delete. Actually, this could learn CRUDE — as we have to add “Extend” to this month’s log testing regime. (Find the laughs the place you possibly can.)
Test wi-fi shows on laptops; it is required by an replace to the core graphics dealing with in Windows (GDI.DLL).
There has been a serious replace to the Windows networking stack, too. This consists of adjustments to how DHCP handles failover relationships. Testing ought to embody the next:
Conduct ping request/reply assessments (for each inside and outdoors your community).
Ping main engines like google (strive Bing?) utilizing each IPv4 and IPv.
Automated testing will assist with these eventualities (particularly a testing platform that provides a “delta” or comparability between builds). However, in your line of enterprise purposes, getting the applying proprietor (doing UAT) to check and approve the outcomes continues to be completely important.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange Server;
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
Adobe Reader and Others (the brand new house for Third-party purposes).
BrowsersMicrosoft didn’t launch any updates for its browsers this month. As an indication of the instances, Google Chrome has now “sunsetted” (deprecated in Microsoft phrases) help for Windows 7/8/8.1 and Window Server 2012. For Google Chrome Enterprise customers, there may be now a helpful launch abstract. My feeling is that we are going to be including Google Chrome to the third-party replace part discovered on the backside of this report sooner or later.WindowsMicrosoft launched a single essential replace for the Windows platforms on this patch cycle (CVE-2023-38148). In addition, 20 patches rated necessary by Microsoft had been launched, masking the next Windows useful areas:
Windows DHCP Server and the TCP/IP networking stack;
Windows GDI and Kernel;
Microsoft Windows Codecs Library and Windows Themes;
Windows Common Log File System Driver.
Though it’s a comparatively light-weight set of patches for Windows, we extremely advocate a community stack take a look at earlier than common deployment. Add these Windows updates to your commonplace launch schedule.Microsoft OfficeFor September, Microsoft didn’t launch any essential updates to the Office platform. Instead, we see seven updates rated necessary and an extra single replace rated average (CVE-2023-41764). Unfortunately, this month’s zero-day vulnerability consists of Microsoft Word (CVE-2023-36761) which has been publicly disclosed and reported as exploited within the wild. Add these Office updates (actually simply Word) to your “Patch Now” schedule.Microsoft Exchange ServerMicrosoft launched 5 updates for Microsoft Exchange Server, all rated necessary by Microsoft. Combining each community and adjoining assault vectors, these vulnerabilities may result in ID spoofing and distant code execution. There haven’t been any experiences of exploits within the wild, nor public disclosures, so please add these to your commonplace launch schedule. Note: this month’s patch cycle would require a reboot of your Exchange Server.Microsoft improvement platformsThis is an enormous month for updating the developer platforms. Microsoft launched three essential rated patches (CVE-2023-36796, CVE-2023-36793 and CVE-2023-36792) that would result in critical distant code execution eventualities with the straightforward click on of a single malicious file. Once these essential points are added to the 12 extra patches to Visual Studio and .NET, we should make an uncommon “Patch Now” suggestion for these.Adobe Reader and Others (the brand new house for Third-party purposes)Following the rising development of managing third-party utility updates, I’ll now embody key purposes that require updating every month. This used to deal with Adobe Reader, however for September now consists of:We count on extra third-party purposes to be included within the month-to-month replace course of sooner or later. Monthly patches, month-to-month utility packaging and patching will change into the brand new regular. Having a sturdy repackaging, testing and deployment course of in your total utility portfolio will quick change into a high precedence.
Copyright © 2023 IDG Communications, Inc.