We at the moment are within the third decade of Microsoft’s month-to-month Patch Tuesday releases, which ship fewer essential updates to browsers and Windows platforms — and way more dependable updates to Microsoft Office — than within the early days of patching. But this month, the corporate rolled out 63 updates (together with fixes for 3 zero-days in Windows and Office).Updates to Microsoft Exchange and Visual Studio will be included in commonplace patch launch cycles, whereas Adobe must be included in your “Patch Now” releases for third-party functions. The staff at Readiness has offered a detailed infographic that outlines the dangers related to every of the updates for November.Known pointsMicrosoft publishes a listing of identified points that relate to the working system and platforms are included in every replace. This month, that checklist consists of:
File Explorer will crash after KB5031354 is uninstalled on Win11 22H2 platforms. Still Active.
Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType coverage settings within the BitLocker configuration service supplier (CSP) node in cellular gadget administration (MDM) apps would possibly incorrectly present a 65000 error. As of now, Microsoft continues to be engaged on a decision.
In Skype for Business 2019 and 2015, the Debug-CsIntraPoolReplication cmdlet fails should you use the ConnectionUri parameter throughout a distant PowerShell session created by utilizing an OcsPowerShell endpoint.
If you are fortunate sufficient to obtain entry to Microsoft’s Windows AI Copilot this month, you would possibly expertise a show concern together with your desktop icons unexpectedly transferring from one show to a different — after which transferring again to the unique show. Don’t fear, there isn’t a ghost within the machine. Oh, wait….Major revisionsAt this level, Microsoft has printed three main revisions that require consideration for this cycle, together with:
CVE-2023-36008: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2023-36026: Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2023-6112: Chromium: CVE-2023-6112 Use after free in Navigation
All of those revisions have been for informational functions solely, and don’t require extra motion.Mitigations and workaroundsMicrosoft printed the next vulnerability-related mitigations for this Patch Tuesday launch:
CVE-2023-38151: Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability. Microsoft has suggested that the goal system will need to have put in Microsoft OLE DB Provider for DB2 Server Version 7.0 to be susceptible.
CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. The Windows message queuing service, which is a Windows element, have to be enabled for a system to be exploitable by this vulnerability. This function will be verified through the Windows Control Panel.
CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability. PEAP)is just negotiated with the consumer if NPS is operating on the Windows Server and has a community coverage configured that permits PEAP. If you aren’t operating this service, your techniques usually are not susceptible to this concern.
Testing steeringEach month, the staff at Readiness offers detailed, actionable testing steering based mostly on assessing a big utility portfolio and an in depth evaluation of the Microsoft patches and their potential influence on the Windows platforms and utility installations.Microsoft has made a significant replace to a minor file system administration function this month, with modifications to how Storage Sense updates and removes outdated and short-term information. There is a wonderful video explainer, and as Microsoft explains: “(Storage Sense) will run when your gadget is low on disk area and can clear up pointless short-term information. Content from the Recycle Bin will likely be deleted by default after a while, however gadgets in your Downloads folder and OneDrive (or some other cloud supplier) won’t be touched except you arrange Storage Sense to take action.Our testing course of raises a number of issues when the Windows file system has been up to date, so we now have included a number of extra steps to validate this month’s modifications:
Run Storage Sense (this can be your first time).
Delete all short-term information within the following path c:customers, %SYSTEM_PATHS% together with nested folders.
Confirm that solely outdated information (older than the date set in your Storage Sense settings) are deleted.
Confirm that file reminiscence.dmp (older than your set threshold) deletes accurately.
The following modifications on this month’s replace usually are not seen as excessive threat (for sudden outcomes) and don’t embody practical modifications:
Microsoft DHCP providers have been up to date. Test your multi-server failover operations by sending a “failover” message to a different operating server.
VPN Update: connect with your enterprise VPN a number of instances, with mid-session disconnects. Include primary web searching, massive file uploads/downloads and video streaming.
Your VHD creation course of will want a fast check — mount/unmount a VHD file with a CRUD check (Create/Read/Update/Delete).
BitLocker has been up to date. Turn on BitLocker and reboot. Confirm that the reboot sequence has not been affected by this replace.
There has additionally been a significant replace to how Windows handles file compression. Following final month’s WinRAR safety points, Microsoft now helps archive codecs that embody tar, .7zip,. rar,.tar.gz. Readiness strongly suggests eradicating (a full, validated uninstall) WinRAR and different third-party compression utilities.Automated testing will assist with these situations (particularly a testing platform that provides a “delta” or comparability between builds). However, in your line of enterprise apps, getting the applying proprietor (doing UAT) to check and approve the testing outcomes continues to be completely important.Windows lifecycle replaceThis part comprises essential modifications to servicing (and most safety updates) to Windows desktop and server platforms.
ESU Year 1 for Windows Server 2012 and Windows Server 2012 R2 began on Oct. 11, 2023. Note: All Security Only and Monthly Rollup packages at the moment are in ESU and require an ESU license.
From now on, Security Only packages will not be printed for Windows Server 2012 and Windows Server 2012 R2. This is to simplify publishing of ESU packages, align to the cumulative servicing mannequin, and keep away from fragmentation issues.
You can learn extra concerning the current modifications on the Lifecycle replace web page. Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge).
Microsoft Windows (each desktop and server).
Microsoft Office.
Microsoft Exchange Server.
Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core).
Adobe (retired???, possibly subsequent 12 months).
BrowsersMicrosoft has adopted the Chromium launch schedule and not particularly publishes updates on Patch Tuesday. That stated, 14 updates to the Chromium challenge Edge browser have been launched this month (none essential, and no zero-days for Microsoft or Chromium). For extra data on Microsoft Edge safety updates consult with the weekly up to date Microsoft help web page. Add these updates to your commonplace patch launch schedule.WindowsMicrosoft launched two essential updates and 30 patches rated essential to the Windows platform that cowl the next key elements:
Windows Hyper-V.
Windows Internet Connection Sharing (ICS).
Microsoft Bluetooth Driver.
Windows Scripting.
Windows Kernel.
Windows Compressed Folder (see our notes on file compression for context).
The actual concern this month are the 2 publicly reported (and exploited) vulnerabilities:
CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability. This is an actual zero-day that requires quick consideration. In the phrases of the Microsoft safety staff, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This shouldn’t be as dangerous as 36033, however a profitable assault (of which there are a lot of studies) will result in full system entry on the compromised system. So, yeah. Not good.
Here is that this month’s Windows 11 launch video. Otherwise, add this replace to your “Patch Now” launch schedule.Microsoft OfficeMicrosoft printed 5 low-profile updates rated as essential. That stated, CVE-2023-36413 (a publicly reported safety bypass vulnerability) is a distinctly harmful safety concern that solely impacts current variations of Microsoft Office (Office 365 and Office 2019/2021) and would require quick consideration. If you might be utilizing older variations of Office, add these updates to your commonplace launch schedule. If you might be updated, then add these Office updates to your “Patch Now” timeline. And, sure — we predict that this must be the opposite approach round as effectively.Microsoft Exchange ServerMicrosoft launched 4 updates to the now-venerable Exchange Server (we needed to say “vulnerable”) this month. Though these updates could also be a ache for Exchange directors (no particular directions, however a reboot will likely be required), however these are totally confirmed fixes for troublesome to take advantage of, non-“wormable” points. All 4 points (CVE-2023-36439, CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035) require full administrator entry and as of now haven’t been reported as exploited or publicly reported. Add these low-profile updates to your commonplace server launch schedule.Microsoft growth platformsMicrosoft launched six updates, all rated essential, that have an effect on Visual Studio and .NET/ASP.NET. All at the moment supported variations of each product teams are affected. These points may result in elevation-of-privilege and spoofing assaults. With no critical-rated or distant code execution situations to handle, add these developer updates to your commonplace developer launch schedule.Adobe Reader (nonetheless right here, however not this month)We’re beginning to get the hold of Adobe’s launch schedule with this month’s anticipated year-end replace to their core merchandise — together with Adobe Reader — with the discharge of APSB23-02. This is a critical-rated replace for Reader and would require quick consideration. Given the current modifications to Microsoft’s enthusiasm for third-party instruments , it’s a must to marvel how lengthy Adobe Reader has earlier than Microsoft decides sufficient is sufficient.
Copyright © 2023 IDG Communications, Inc.