Microsoft on Tuesday launched 73 updates in its month-to-month Patch Tuesday launch, addressing points in Microsoft Exchange Server and Adobe and two zero-day flaws being actively exploited in Microsoft Outlook (CVE-2024-21410) and Microsoft Exchange (CVE-2024-21413).Including the current stories that the Windows SmartScreen vulnerability (CVE-2024-21351) is underneath lively exploitation, we’ve added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. The group at Readiness has offered this detailed infographic outlining the dangers related to every of the updates for this cycle.Known points Microsoft publishes an inventory of identified points associated to the working system and platforms included every month.
Windows gadgets utilizing multiple monitor would possibly (nonetheless) expertise points with desktop icons transferring unexpectedly between screens or different icon alignment points when making an attempt to make use of Windows Copilot. Microsoft continues to be engaged on this challenge.
After you put in KB5034129, chromium-based web browsers reminiscent of Microsoft Edge may not open accurately. Affected browsers would possibly show a white display screen and develop into unresponsive when opened. (This might be a difficulty primarily affecting builders utilizing a number of browsers on the identical system.) Microsoft is engaged on a repair. We anticipate an replace within the subsequent Edge replace.
There is a major challenge with the present launch of Microsoft Exchange Server, which is detailed under within the Exchange Server part.Major revisions We have seen three waves of CVE vulnerability revisions from Microsoft (to this point) this month — which in itself is uncommon — made all of the extra so by the quantity of updates in such a short while. That stated, all of the revisions had been as a result of errors within the publication course of; no further motion is required for the next:
CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability. Microsoft has up to date the FAQs and added clarifying info to the mitigation. This is an informational change solely.
CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability. Updated the mitigation to tell prospects with present OAuth 2.0 connectors that the connectors have to be up to date to make use of a per-connector redirect URL by March 29. This is an informational change solely.
CVE-2024-0056, CVE-2024-0057, CVE-2024-0057, CVE-2024-20677 and CVE-2024-21312: These had been up to date to resolve damaged hyperlink points. No additional motion required.
Contrary to present documentation from Microsoft, there are two revisions that do require consideration: CVE-2024-21410 and CVE-2024-21413. Both reported vulnerabilities are “Preview Pane” important updates from Microsoft that have an effect on Microsoft Outlook and Exchange Server. Though the Microsoft Security Response Center (MSRC) says these vulnerabilities usually are not underneath lively exploitation, there are severalpublished stories of lively exploitation. Note: this can be a critical mixture of Microsoft Exchange and Outlook safety points.Mitigations and workarounds Microsoft printed the next vulnerability-related mitigations for this month’s launch cycle: We have positioned the GPO setting AllowAllTrustedAppToInstall in quotes, as we don’t imagine it exists (or the documentation has been eliminated/deleted). This could also be (one other) documentation challenge.Each month, the group at Readiness supplies detailed, actionable testing steering based mostly on assessing a big software portfolio and an in depth evaluation of the Microsoft patches and their potential impression on the Windows platforms and software installations. For this February launch, we’ve grouped the important updates and required testing efforts into practical areas, together with:Security
AppLocker: Test primary performance of AppLocker, together with deploying AppLocker insurance policies.
Secure Launch has been up to date. Administrators can make sure that Secure Launch is working by the Microsoft utilityEXE.
Networking
DNS has been up to date for all Windows platforms, together with modifications to RRSIG and DNSKEY (used to decrypt/validate hash information). Microsoft has provided steering on securing/validating DNS responses for Windows Server right here and offered syntax and examples to check out DNS question resolutions.
RPC shoppers for inner functions would require a full end-to-end check cycle.
Internet Shortcuts have been up to date and would require testing on each on-line trusted and untrusted sources.
Internet Connection Sharing (ICS) may also require checks run on each host and shopper machines.
Developers and improvement instruments
Microsoft up to date the core part Microsoft Message Queue (MSMQ) which is able to have an effect on Message Queue Services, its associated Routing service and DCOM proxy. Testing should embody on-line shopping and video/audio streaming for any affected app.
SQL OLEDB has been up to date, requiring database directors to verify their database connections and primary SQL instructions.
Microsoft Office
Due to the modifications to Adobe Reader and the PDF file format this month, Microsoft Word customers ought to embody a check to open, save, and print PDF recordsdata.
Outlook customers ought to check opening mail and calendar objects with an extra check of opening a backup Outlook information file.
Also, this month, Microsoft added a brand new characteristic to the Microsoft .NET CORE providing with SignalR. Microsoft explains: “ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data.” You can discover documentation on getting began with SignalR right here.Automated testing will assist with these eventualities (particularly a testing platform that provides a “delta” or comparability between builds). However, for line-of-business apps, getting the applying proprietor (doing UAT) to check and approve the outcomes continues to be important.Windows lifecycle replace This part accommodates necessary modifications to servicing (and most safety updates) to Windows desktop and server platforms.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange Server;
Microsoft improvement platforms (NET Core, .NET Core and Chakra Core);
Adobe (or, when you get this far).
BrowsersMicrosoft launched three minor updates to the Chromium-based Edge (CVE-2024-1283, CVE-2024-1284, and CVE-2024-1059) and up to date the next reported vulnerabilities:
CVE-2024-1060: Chromium: CVE-2024-1060 Use after free in Canvas
CVE-2024-1077: Chromium: CVE-2024-1077 Use after free in Network
CVE-2024-21399: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
All these updates ought to have minor to negligible impression on functions that combine and function on Chromium. Add them to your normal patch launch schedule.WindowsMicrosoft launched two important updates (CVE-2024-21357 and CVE-2024-20684) and 41 patches rated as necessary for Windows that cowl the next elements:
Windows ActiveX and WDAC OLE DB Provider;
Windows Defender;
Windows Internet Connection Sharing;
Windows Hyper-V;
Windows Kernel.
The actual fear this month is the Windows SmartScreen (CVE-2024-21351) replace, which has been reportedly exploited within the wild. Due to this quickly rising risk, add this replace to your Windows “Patch Now” launch schedule.Microsoft Office Microsoft launched a single important replace (CVE-2024-21413) and 7 patches rated as necessary for the Microsoft Office productiveness suite. The actual concern is older variations of Microsoft Office (2016, specifically). If you might be working these older variations, you will want so as to add these updates to your Patch Now schedule.All trendy variations of Microsoft Office can add these February updates to their normal launch schedule.Microsoft Exchange Server Microsoft launched a single replace for Microsoft Exchange server, with CVE-2024-21410 rated important. This replace would require a reboot to the goal server(s). In addition, Microsoft provided this recommendation when patching your servers:“When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer stories that Extended Protection was configured by the installer, and it shows the next error message: ‘Exchange Setup has enabled Extended Protection on all of the digital directories on this machine.'”Microsoft offers “Extended Protection” as a collection of paperwork and scripts to assist safe your Exchange server. In addition, Microsoft printed Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and a couple of to assist with managing the assault service of this critical vulnerability. Add this to your “Patch Now” schedule.Microsoft improvement platforms Microsoft launched three updates (CVE-2024-20667, CVE-2024-21386 and CVE-2024-21404) affecting the .NET platform in addition to Visual Studio 2022. These updates are anticipated to have minimal impression on app deployments. Add them to your normal developer launch schedule.Adobe Reader (when you get this far) Adobe Reader updates are again this month (yr) with the discharge of APSB 24-07, a precedence three replace for each Adobe Reader and Reader DC. Adobe notes that this vulnerability might result in distant code execution, denial of service, and reminiscence leaks. There are additionally some documented uninstall points with Adobe Reader, which could trigger deployment complications. All this is sufficient to add this Adobe to our “Patch Now” schedule.
Copyright © 2024 IDG Communications, Inc.