With this month’s Patch Tuesday replace, Microsoft addressed 130 safety vulnerabilities, printed two advisories, and included 4 main CVE revisions. We even have 4 zero-days to handle for Windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Windows platform right into a “patch now” schedule.It must be simpler to deal with Microsoft Office and Windows testing this month, as we shouldn’t have any Adobe, Exchange, or browser updates. Be certain to fastidiously evaluation Microsoft’s Storm 0978 because it supplies particular, actionable steering on managing the intense HTML vulnerability in Microsoft Office (CVE-2022-38023).The Readiness workforce has crafted this beneficial infographic to stipulate the dangers related to every of the updates.Known pointsMicrosoft every month lists identified points that relate to the working system and platforms included within the newest replace cycle.
After putting in this replace on visitor digital machines (VMs) operating Windows Server 2022 on some variations of VMware ESXi, Windows Server 2022 may not begin up. Only Windows Server 2022 VMs with Secure Boot enabled are affected. Microsoft and VMware are investigating the issue and can supply extra data when it is accessible.
Using provisioning packages on Windows 11, model 22H2 may not work as anticipated. Windows may solely be partially configured, and the out-of-box expertise may not end or may restart unexpectedly.
Major revisionsMicrosoft has printed two main revisions:
CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability (4th replace). This updates removes the flexibility to set worth 1 for the KrbtgtFullPacSignature subkey, and allow the Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which might be overridden by an Administrator with an specific Audit setting. No additional motion is required if you happen to apply this month’s replace.
CVE-2022-38023: Netlogon RPC Elevation of Privilege Vulnerability. The (earlier) April 2023 updates take away the flexibility to disable RPC sealing by setting worth 0 to the RequireSeal registry subkey.
Mitigations and workaroundsMicrosoft printed the next vulnerability-related mitigations for this launch:
CVE-2023-32038: Microsoft ODBC Driver Remote Code Execution Vulnerability. Microsoft recommends that if you happen to solely hook up with identified, trusted servers — and if there isn’t any capacity to reconfigure present connections to level to a different location — this vulnerability can’t be exploited.
CVE-2023-36884: Office and Windows HTML Remote Code Execution Vulnerability (one of many zero-day exploits this cycle). Microsoft notes that in case you are utilizing Microsoft Defender you are protected. For extra cynical/jaded/skilled professionals, we advocate that you just (fastidiously) learn the Threat Intelligence put up (Storm-0978).
CVE-2023-35367, CVE-2023-35366 and CVE-2023-35365: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. If you aren’t utilizing (and haven’t put in) Microsoft’s Routing and Remote Access Services (RRAS), you aren’t susceptible to this exploit.
Testing steering Each month, the Readiness workforce supplies detailed, actionable testing steering for the most recent updates. This steering is predicated on assessing a big utility portfolio and an in depth evaluation of the Microsoft patches and their potential influence on the Windows platforms and utility installations.If you may have employed inside net or utility servers, will probably be price testing the HTTP3 protocol — particularly utilizing Microsoft Edge. In addition to this protocol dealing with replace, Microsoft made a big variety of adjustments and updates to the networking stack requiring the next testing:
Test your RRAS router with UDP, pingback and traceroute instructions whereas including and deleting routing desk entries.
Ensure that your area servers behave as anticipated with full enforcement mode enabled.
Given the massive variety of system-level adjustments this month, I’ve divided the testing eventualities into normal and high-risk profiles.High dangerGiven that this replace consists of fixes for 4 (some say 5) zero-day flaws, now we have two fundamental drivers of change this month: key performance adjustments in core methods and an pressing have to ship updates. Microsoft has documented that two core areas have been up to date with vital performance adjustments, together with printing and the native community stack (with a deal with routing). As a consequence, the next testing must be included earlier than common deployment:
Printing: examine your native printers, as key driver dealing with has been up to date.
Ensure that your DNS server zones are nonetheless functioning as anticipated after this replace
Standard dangerThe following adjustments have been included this month and haven’t been raised as both excessive danger (with sudden outcomes) and don’t embody purposeful adjustments.
Windows Hello will want testing to incorporate Active Directory (in addition to Azure AD) Single-Sign-on (SSO).
Test your distant desktop (RDP) connections with and with out Microsoft’s RD Gateway and make sure you see the right stage of certificates warnings (or not, if already ignored).
(For IT admins) Test your Windows Error logs (deal with service hangs) with a Create/Read/Update/Delete/Extend (CRUDE) check.
Test your encryption and crypto configuration eventualities. Especially Kerberos in your area controllers and key isolation.
Test your backups. You do not have to fret about your restoration media this time.
All these testing eventualities would require vital application-level testing earlier than a common deployment. Given the adjustments included on this month’s patches, the Readiness workforce recommends that the followings checks be carried out earlier than common deployment:
Install, replace, and uninstall your core line of enterprise purposes.
Check your (native) printer drivers.
Validate your VBScripts and UI automation instruments (as OLE was up to date this month, see CComClassFactorySingleton).
Test audio/video streaming after which Microsoft Teams (on account of its uploads/downloads and message queuing necessities).
This month could also be a bit of robust to check your Microsoft Office automation/scripts and integration with third-party purposes because of the change in OLE and the way Microsoft has addressed CVE-2023-36884. We advocate a full check of Excel macros (in the event that they use OLE/COM/DCOM) and any VBS scripts that embody Word.Windows lifecycle updateHere are the vital adjustments to servicing (and most safety updates) to Windows desktop and server platforms.
Windows 11, model 21H2, will attain finish of servicing on Oct. 10, 2023. This applies to the next editions launched in October 2021: Windows 11 Home, Pro, Education, Pro for Workstations.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange Server;
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
And Adobe (retired???, possibly subsequent yr).
BrowsersOnerous to imagine, however there aren’t any browser updates on this replace cycle. And we do not see something coming down the pipeline for a mid-cycle launch both. This is a giant change and an enormous enchancment from the times of huge, advanced, and pressing browser updates. Go Microsoft! WindowsMicrosoft launched eight essential updates and 95 patches rated as vital to the Windows platform, protecting these key elements:As talked about within the Microsoft Office part above, we really feel the main focus this month must be on the instant decision of CVE-2023-36884. Though rated as vital by Microsoft (sorry to be contrarian), we really feel that because it has been each publicly disclosed and exploited it must be handled as pressing. Coupled with the opposite Windows zero-day (CVE-2023-32046) this brings the complete Windows replace group into the “Patch Now” schedule for our purchasers. Once the screaming stops, you’ll be able to take a while to take a look at the Windows 11 launch video; we discover it calming.Microsoft OfficeWe want to speak about Microsoft Office. Though there are two essential rated updates for SharePoint (CVE-2023-33157 and CVE-2023-33160) and 14 updates rated vital by Microsoft, the elephant within the room is CVE-2023-36884 (Office and HTML RCE Vulnerability). This vulnerability has been each publicly disclosed and documented as exploited. Officially, this replace belongs within the Windows group, however we imagine that the true influence lies in how Microsoft Office offers with HTML information (transmit/retailer/compute). CVE-2023-36884 straight impacts Office and your testing regime ought to replicate this.Add these Office updates to your normal launch schedule, noting that your Office patch testing regime will have to be paired together with your Windows replace launch schedule.Microsoft Exchange ServerA lot to all our luck, there aren’t any updates for Microsoft Exchange Server this month.Microsoft growth platformsCompared to the very critical (and quite a few) exploits in Office and Windows this month, there are solely 5 updates affecting Visual Studio, ASP.NET and a minor part of Mono (the cross platform C# implementation). All these patches are rated vital by Microsoft and must be added to your normal developer launch schedule.Adobe Reader (nonetheless right here, simply not this month)More excellent news: there aren’t any updates from Adobe or different third-party distributors on this replace.
Copyright © 2023 IDG Communications, Inc.