With its August Patch Tuesday launch, Microsoft pushed out 90 updates for the Windows and Office platforms. The newest fixes embody one other replace for Microsoft Exchange (together with with a warning about failed updates to Exchange Server 2016 and 2019) and a “Patch Now” suggestion from us for Office. The group at Application Readiness has crafted this handy infographic outlining the dangers related to every of the updates for this month.Known pointsEach month, Microsoft features a record of recognized points affecting the most recent replace cycle. For August, they embody:
After putting in this replace on visitor digital machines (VMs) working Windows Server 2022 on some variations of VMware ESXi, Windows Server 2022 may not begin up. Microsoft and VMware are each investigating the problem.
Provisioning packages on Windows 11 model 22H2 (additionally referred to as Windows 11 2022 Update) may not work as anticipated. Windows would possibly solely be partially configured, and the out-of-box expertise may not end or would possibly restart unexpectedly. Provisioning the Windows system earlier than upgrading to Windows 11 model 22H2 ought to stop the problem.
Unfortunately for these nonetheless utilizing Windows Server 2008 ESU, this month’s replace would possibly fail utterly with the message, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer.” Microsoft affords some recommendation on ESU updates, however you would possibly discover you need to wait a short while earlier than you are in a position to efficiently replace legacy Exchange servers. Sorry about that.Major revisionsMicrosoft has revealed these main revisions protecting:
ADV190023: Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing. This newest replace provides the aptitude to allow CBT occasions 3074 & 3075 with occasion supply **Microsoft-Windows-EnergeticDirectory_DomajorService** within the Directory Service occasion log.
ADV230001: Guidance on Microsoft Signed Drivers Being Used Maliciously. Microsoft has introduced that the Aug. 8 Windows Security updates (see Security Updates desk) add extra untrusted drivers and driver signing certificates to the Windows Driver.STL revocation record.
CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability. Microsoft has corrected CVE titles and up to date a number of CVSS scores for the affected merchandise.
CVE-2023-35389: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. In this newest replace, Microsoft eliminated Microsoft Dynamics 365 (on-premises) model 9.1, as it’s not affected by the vulnerability. This is an informational change solely. No additional motion required.
Mitigations and workaroundsMicrosoft revealed the next vulnerability-related mitigations for this launch cycle:
CVE-2023-35385: Microsoft Message Queuing Remote Code Execution Vulnerability. The Windows message queuing service, which is a Windows element, must be enabled for a system to be exploitable by this vulnerability. Check to see whether or not there’s a service working named Message Queuing and TCP port 1801 is listening on the machine.
CVE-2023-36882: Microsoft WDAC OLE DB supplier for SQL Server Remote Code Execution Vulnerability. Microsoft affords the next mitigation recommendation for this critical vulnerability: “If your environment only connects to known, trusted servers and there is no ability to reconfigure existing connections to point to another location (for example you use TLS encryption with certificate validation), the vulnerability cannot be exploited.”
Testing steering Each month, the Readiness group analyzes the most recent Patch Tuesday updates and gives detailed, actionable testing steering. This steering relies on assessing a big utility portfolio and an in depth evaluation of the patches and their potential affect on the Windows platforms and app installations.Given the numerous variety of adjustments included this month, I’ve damaged down the testing eventualities into high-risk and standard-risk teams: High riskAs all of the high-risk adjustments have an effect on the Microsoft Windows core kernel and inner messaging subsystem (although we have now not seen any revealed performance adjustments), we strongly suggest the next targeted testing:
There have been plenty of vital updates to the Microsoft Message Queue (MSMQ). This will have an effect on servers that depend on triggers, routing companies, and multicasting help. Our expectation is that internally developed line-of-business shopper/server purposes are most definitely to be affected and subsequently want elevated consideration and testing this month.
Standard danger
Windows error reporting has been up to date, so you will have to do a “CRUD” take a look at in your Windows Common Log File System (CLFS) logs.
A gaggle coverage refresh must be included on this testing cycle attributable to adjustments within the NT consumer coverage (each consumer and machine) recordsdata. Due to API adjustments on this characteristic, you may also need to verify file paths to your resultant log recordsdata.
Microsoft’s Crypto (CNG) APIs have been up to date, so good card installations would require testing.
ODBC purposes would require testing once more this month attributable to an replace to the SQLOLEDB libraries.
And this is one for Windows targeted IT directors: Microsoft has up to date the WinSAT API. This instrument is described by Microsoft:”The Windows System Assessment Tool (WinSAT) exposes a number of classes that assess the performance characteristics and capabilities of a computer. Developers can use this API to develop software that can access the performance and capability information of a computer to determine the optimal application settings based on that computer’s performance capabilities.”All these eventualities would require vital application-level testing earlier than basic deployment. In addition to those particular testing necessities, we recommend a basic take a look at of the next printing options:
Update all of your print servers and validate that the printer administration software program behaves as anticipated whereas working print jobs.
Uninstall any print administration software program after an replace to make sure that your server remains to be working as anticipated.
Test all printer producer sorts, utilizing each native and distant printer checks.
Automated testing will assist with these eventualities (particularly a testing platform that gives a “delta” or comparability between builds). However, to your line-of-business purposes, getting the app proprietor (doing UAT) to check and approve the outcomes is totally important.Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office;
Microsoft Exchange Server;
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
Adobe (nonetheless right here, however with one other A).
BrowsersPersevering with a welcome development, Microsoft launched 11 updates to its Chromium browser initiatives (Edge) and no patches to its legacy browsers. You can learn extra about Microsoft Edge launch notes right here, noting that Chrome/Edge updates had been launched on Monday (Aug. 7) not the same old “Patch Tuesday.”Add these browser updates to your commonplace patch launch schedule. WindowsMicrosoft launched three important updates, 32 rated as necessary and one rated as average. All (three) of the important updates to the Windows platform relate to the Windows Message Queuing (MSMQ). Though these important updates have a score of 9.8 (that is fairly excessive), they haven’t been publicly disclosed or reported as exploited. Not each group will make use of the MSMQ characteristic, so for many groups, the testing profile must be fairly mild. Add these Windows updates to your commonplace launch schedule.Microsoft OfficeMicrosoft has launched three important updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require fast consideration. In addition to those patches, Microsoft has launched 11 updates rated as necessary and one rated as average. These 12 updates have an effect on Microsoft Office on the whole and Visio. Add these Office updates to your “Patch Now” launch schedule.Microsoft Exchange ServerEarlier than you do something, do not replace your non-English Microsoft Exchange Servers (2019 and 2016). This month’s replace will fail mid-way by and go away your server in an “undetermined state.” Now that this has (not) been completed, you possibly can attend to the six Exchange updates (all rated as necessary) for this month. No important updates confirmed up, so take your time. Note: all these August patches would require a server reboot. Add these updates to your commonplace launch schedule. Microsoft growth platformsMicrosoft has launched eight updates to the Microsoft .NET and ASP.NET platforms this month. These patches had been rated as necessary and must be included in your commonplace developer launch schedule.Adobe Reader (nonetheless right here, however with one other A)Adobe is again. And we have now one other “A” to fret about (kinda bizarre, huh?). APSB23-30 from Adobe patches a important vulnerability in Adobe Reader — add it to your “Patch Now” schedule. And the opposite “A”? Following the current development of supporting third-party patches within the Microsoft replace launch cycle (bear in mind the Autodesk replace in June?), Microsoft has launched CVE-2023-20569; it is expounded to an AMD memory-related vulnerability. You can learn extra about this on the AMD web site right here. Patching? Sure. Testing? Not positive.
Copyright © 2023 IDG Communications, Inc.