Microsoft has resolved 80 new CVEs this month along with 4 earlier CVEs, bringing the variety of safety points addressed on this month’s Patch Tuesday launch to 84. Unfortunately, we now have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a “Patch Now” launch requirement for each Windows and Microsoft Office updates. As it was final month, there have been no additional updates for Microsoft Exchange Server or Adobe Reader. This month the workforce at Application Readiness has offered a useful infographic that outlines the dangers related to every of the updates for this cycle.Known pointsEach month, Microsoft features a record of identified points that relate to the working system and platforms included within the replace cycle.
KB5022842: After putting in KB5022842 on Windows Server 2022 with Secure Boot enabled and rebooting twice, the VMware VM didn’t boot utilizing the brand new bootmgr. This situation continues to be into account by Microsoft. After putting in this replace, WPF apps could have a change in habits.
After putting in this month’s Windows replace on visitor digital machines (VMs) working Windows Server 2022 on some variations of VMware ESXi, Windows Server 2022 may not begin.
Microsoft continues to be engaged on a community efficiency situation with Windows 11 22H2. Large (multi-gigabyte) community file transfers (and probably equally massive native transfers) are affected. This situation ought to primarily have an effect on IT directors.Major revisionsMicrosoft revealed 4 main revisions this month masking:
VE-2023-2156: Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability.
CVE-2022-41099: Title: BitLocker Security Feature Bypass Vulnerability.
CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability.
CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability.
All of those revisions have been because of documentation and expanded affected software program updates. No additional motion is required.Mitigations and workaroundsMicrosoft revealed the next vulnerability associated mitigations for this month’s launch:
CVE-2023-23392: HTTP Protocol Stack Remote Code Execution Vulnerability. A prerequisite for a Windows 2022 server to be susceptible to this safety situation is that the community binding has HTTP/3 enabled and the server makes use of buffered I/O. Enabling HTTP/3 is mentioned right here: Enabling HTTP/3 help on Windows Server 2022.
CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Microsoft has revealed two mitigations for this severe safety situation:
Add customers to the Protected Users Security Group, which prevents using NTLM as an authentication mechanism.
Block TCP 445/SMB outbound out of your community through the use of a fringe firewall, a neighborhood firewall, and through your VPN settings.
Testing steerage Each month, the workforce at Readiness analyzes the Patch Tuesday updates and gives detailed, actionable testing steerage; that steerage is predicated on assessing a big software portfolio and an in depth evaluation of the Microsoft patches and their potential impression on the Windows platforms and software installations.Given the big variety of adjustments included this month, I’ve damaged down the testing eventualities into high-risk and standard-risk teams.High threatMicrosoft revealed a number of excessive threat adjustments within the March replace. While they might not result in performance adjustments, the testing profile for every replace ought to be obligatory:
Microsoft has up to date how DCOM responds to distant requests as a part of the latest hardening effort. This course of has been underneath manner since June 2021 (Phase 1), with an replace in June 2022 (Phase 2) and now this month with all adjustments applied as obligatory. DCOM is a core Windows part used for speaking between companies or processes. Microsoft has suggested that this (and full deployment of previous suggestions) will trigger application-level compatibility points. The firm has supplied some help on what’s altering and how you can mitigate any compatibility points on account of these latest obligatory settings.
A serious change to the core system file Win32kfull.sys has been included this month as two capabilities (DrvPlgBlt and nf-wingdi-plgblt) have been up to date. Microsoft has suggested there aren’t any useful adjustments to those capabilities. Testing functions that rely on these capabilities might be important earlier than a full deployment of this month’s updates.
These eventualities require important application-level testing earlier than common deployment.
Bluetooth: Try including and eradicating new Bluetooth gadgets. Stressing Bluetooth community gadgets can be extremely suggested.
Windows Network stack (TCPIP.SYS): Basic internet browsing, “normal” file transfers and video streaming ought to be adequate to check the adjustments to the Windows networking stack.
Hyper-V: Try testing each Gen1 and Gen2 digital machines (VM’s). Both varieties of machines ought to begin, cease, shut down, pause, and resume efficiently.
In addition to those adjustments, Microsoft up to date a key reminiscence perform (D3DKMTCreateDCFromMemory) that impacts two key system-level Windows drivers (win32kbase.sys and win32kfull.sys). Unfortunately, in previous updates to those drivers, some customers have generated BSOD SYSTEM_SERVICE_EXCEPTION errors. Microsoft has posted info on how you can handle these points. Hopefully you do not have to resolve these sorts of points this month.Windows lifecycle replaceThis part comprises necessary adjustments to servicing (and most safety updates) to Windows desktop and server platforms over the following few months:
Windows 10 Enterprise (and Education), Version 20H2 and Windows 10 IoT Enterprise, and Windows Version 20H2 will attain an finish of servicing date on May 9, 2023.
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge).
Microsoft Windows (each desktop and server).
Microsoft Office.
Microsoft Exchange Server.
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core).
Adobe (retired???, possibly subsequent yr).
BrowsersThere have been 22 updates for March (none rated vital), with 21 included within the Google launch channel and one (CVE-2023-24892) from Microsoft. All these updates are easy-to-deploy updates with marginal to low deployment threat. You can discover Microsoft’s model of these launch notes right here and the Google Desktop channel launch notes right here. Add these updates to your normal patch launch schedule. WindowsMicrosoft launched 10 vital updates and 48 patches rated as necessary to the Windows platform that cowl the next key parts:
Microsoft Printer Postscript Drivers.
Windows Bluetooth Service.
Windows Win32Ok and Core Graphics parts (GDI).
Windows HTTP Protocol Stack and PPPoE.
Other than the latest change to DCOM authentication (see DCOM hardening) most of this month’s updates have a really low threat profile. We have a minor replace to a printing subsystem (Postscript 6) and different tweaks to community dealing with, storage, and graphics parts. Unfortunately, we now have an actual zero-day situation with Windows (CVE-2023-24880) SmartScreen (aka Windows Defender) with experiences of each exploitation and a public disclosure. As a outcome, add these Windows updates to your “Patch Now” launch schedule.Microsoft OfficeMicrosoft launched 11 updates to the Microsoft Office platform with one rated as (tremendous) vital and the remaining updates rated necessary and affecting simply Excel and SharePoint. Unfortunately, the Microsoft Outlook replace (CVE-2023-23397) should be patched instantly. I’ve included suggestions supplied by Microsoft in our mitigations part above which embrace including customers to the next safety group and blocking ports 445/SMB in your community. Given the low threat of breaking different apps and the benefit of deployment of this patch, I’ve one other concept: add these Office updates to your “Patch Now” launch schedule.Microsoft Exchange ServerNo Microsoft Exchange updates required this month. That mentioned, there’s a notably worrying situation with Microsoft Outlook (CVE-2023-23397) that might be sufficient for any mail administrator to deal with this month.Microsoft growth platformsThis is a really mild patch cycle for Microsoft growth platforms with simply 4 updates to Visual Studio (GitHub extensions) this month. All these updates are rated as necessary by Microsoft and have a really low deployment threat profile. Add these updates to your normal developer launch schedule. Adobe Reader (nonetheless right here, however simply not this month)We could also be seeing a development right here as Adobe has not launched any updates for Adobe Reader. It can also be attention-grabbing that that is the primary month in 9 that Microsoft has not launched any vital updates to its XPS, PDF or printing system. So, no obligatory printer testing is required.
Copyright © 2023 IDG Communications, Inc.