This month, Microsoft has launched 103 updates to Windows, Edge, Microsoft Office, and Exchange Server. This replace additionally consists of minor updates to Visual Studio. Three zero-days (CVE-2023-44487, CVE-2023-36563 and CVE-2023-41763) require “Patch Now” updates for each Windows and the Edge browser for this October replace cycle.Microsoft has additionally up to date its patch launch and notification system with assist for RSS feeds and has revealed its newest Digital Defense Report for this 12 months. The workforce at Application Readiness has supplied a useful infographic that outlines the dangers related to every of the updates for this October replace cycle.Known pointsEach month, Microsoft features a checklist of identified points that relate to the working system and platforms which can be included on this replace cycle.
Microsoft Server 2022: After putting in this month’s replace on visitor digital machines (VMs) operating Windows Server 2022 on some variations of VMware ESXi, Windows Server 2022 may not begin up. Microsoft and VMware are each investigating this concern, however there is no such thing as a revealed decision on the time of writing.
Major revisionsMicrosoft has revealed one main revision this month:
CVE-2023-36794: In the Security Updates desk, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3, as these variations of Visual Studio are additionally affected by the vulnerability. No additional motion is required.
Mitigations and workaroundsMicrosoft has revealed the next vulnerability associated mitigations for this month’s Patch Tuesday launch cycle:
There are 15 Microsoft Message Queue updates this month, every with a broadcast mitigation from Microsoft that notes, “if the Message Queuing service is enabled and listening on port 1801, then your system is vulnerable.”
Microsoft gives some restricted recommendation on OLE associated vulnerabilities (e.g., CVE-2023-36730) this month with recommendation to solely hook up with trusted servers.
Some might query the efficacy of those proffered mitigations. Testing steerageEach month, the workforce at Readiness analyses the most recent Patch Tuesday updates from Microsoft and supplies detailed, actionable testing steerage. This steerage relies on assessing a big utility portfolio and an in depth evaluation of the Microsoft patches and their potential impression on the Windows platforms and utility installations.One of the toughest areas on the Windows platform (each desktop and server) to replace is the Windows Kernel subsystem. This core subsystem manages safety, entry to low-level companies, drivers, and the Hardware Abstraction Layer (HAL). Given its significance, the Kernel layer is essential to delivering most companies and purposes on Windows. Changing this core system usually interprets to a high-risk of a element, service, or utility not behaving as anticipated. Thus, testing is essential and in addition very tough to do proper. This month Microsoft has up to date each the Kernel and GDI subsystems at a core stage. At Readiness, we now have checked out these (GDI and Kernel stage) adjustments, and they’re each minor and far-reaching. (This isn’t a tautology.) Rather than a particular take a look at steerage plan, we advocate a “smoke test” to your generally used purposes and a enterprise logic targeted take a look at effort to your crucial or line-of-business purposes. (Perhaps your prime 20 apps?)All these situations would require vital application-level testing earlier than a basic deployment of this month’s replace. In addition to those listed particular testing necessities, we advise a basic take a look at of the next Windows options:
Test your Windows Error Reporting techniques (logs and error reviews with a Create/Read/Update/Delete/Extend (CRUDE) take a look at cycle.
Watch out for heavy GPU utilization (we advise attempting out AutoCAD or Bloomberg).
Test your VPN connections — a easy join/disconnect take a look at will suffice this month.
Due to an replace to the Windows WAV file codecs, a small take a look at cycle of audio information needs to be included for this October replace.
Stressing in regards to the newest WordPad safety vulnerability? Unfortunately, we nonetheless have to check our rich-text-formatted (RTF) information this month as nicely. This follows on from final month’s Notepad++ vulnerabilities, which included CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 and CVE-2023-40166. At this fee, Microsoft could determine to take away all (free) textual content editors from Windows. Office, anybody?Windows lifecycle updateOver the previous few months, we now have used this part to element the forthcoming adjustments to the Windows ecosystem, equivalent to finish of platform assist or adjustments to safety updates. This month, we now have two main Windows deprecations which were introduced by Microsoft:
VBScript — this can be a huge deal. Yes, the venerable scripting language is each a lot maligned and far beloved by desktop engineers. Its deprecation is a significant concern and can have an effect on many (greater than you suppose) utility installations and would require some consideration.
WordPad (what, actually?). According to Microsoft, WordPad will now not be up to date and will probably be eliminated in a future model of Windows. You can nonetheless generate RTF information utilizing the Echo command in a DOS immediate, after setting the generator sort, ANSI web page, default language, character code, charset, and font. Or you can use Office.
And talking of life cycles, Happy Birthday to Patch Tuesday — it has been 20 years because the first correctly scheduled replace to the Windows ecosystem. Things have been fairly chaotic again then, with unscheduled updates distributed by way of the month. I doubt anybody would have thought-about simply how necessary safety patches/updates would change into to the IT group. More than a convention, Patch Tuesday is now a vital a part of IT finest practices.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
Browsers (Microsoft IE and Edge)
Microsoft Windows (each desktop and server)
Microsoft Office
Microsoft Exchange Server
Microsoft Development platforms (NET Core, .NET Core and Chakra Core)
Adobe (retired???, perhaps subsequent 12 months)
BrowsersMicrosoft has tailored to the Chromium launch schedule and now not particularly publishes updates on the second Tuesday of each month. That mentioned, Microsoft has used the discharge of the patch of CVE-2023-5346 and CVE-2023-5217 this week as a type of “stub” or proxy for Patch Tuesday Chromium (Edge) updates.For extra data on Microsoft Edge safety updates, please discuss with the weekly up to date Microsoft assist web page. Both of those vulnerabilities are extraordinarily severe (we take into account them zero-days) and needs to be added to your “Patch Now” browser replace schedule, Patch Tuesday or not. WindowsThis October, Microsoft launched 13 crucial updates and 68 patches rated as necessary to the Windows platform that cowl the next key parts:
Windows Message Queuing
Windows Win32Ok and Kernel
Windows RDP, Layer 2 Tunnelling Protocol and Windows TCP/IP
Windows Error Reporting
Windows Common Log File System Driver
Windows OLE, ODBC, and SQL Providers
The key challenges relate to the crucial updates to the Message Queuing characteristic in Windows. Adding the kernel, core GDI updates, and networking points implies that this month we have to add this Windows replace to your “Patch Now” launch schedule.Microsoft OfficeWe will breathe somewhat simpler this month as Microsoft has launched solely seven updates (all rated as necessary) for the Office platform. Ignoring Skype for Business (which everybody else does), this month Microsoft delivers patches to complicated, difficult-to-exploit safety vulnerabilities that haven’t been publicly disclosed. Add these low-profile Office updates to your customary launch schedule.Microsoft Exchange ServerMicrosoft has launched a single replace for Microsoft Exchange this month. This vulnerability impacts all supported variations of Exchange Server and has been rated as necessary by Microsoft. Microsoft Exchange server updates this month would require a server reboot — for all variations. Add this replace to your customary replace launch schedule for this October Patch Tuesday.Microsoft Development PlatformsExcluding the Mitre Rapid Reset (CVE-2023-44487) concern lined beneath, Microsoft has launched three comparatively simple updates to the Visual Studio growth platform. Add these updates to your customary developer launch schedule.Adobe Reader (nonetheless right here, however simply not this month)No updates from Adobe for Reader or Acrobat this month.HTTP/2 Rapid Reset VulnerabilityFinally, let’s talk about the HTTP/2 Rapid Reset (CVE-2023-44487) vulnerability. This distributed denial-of-service (DDOS) assault has been reported as exploited within the wild since this previous August. As it impacts extra than simply Microsoft Windows, I’ve included some useful hyperlinks (supplied by CISA) on this severe vulnerability.Microsoft has posted an in depth detailed weblog entry entry on the Rapid Reset concern that features recommendation on patching internet purposes, enabling Azure Web Application firewall and configuring Azure Front Door.
Copyright © 2023 IDG Communications, Inc.