Patch Office and Windows Today to Solve Two Zero-Days
Microsoft resolved 80 new CVEs this month, adding to the four previous CVEs, bringing the number of security issues addressed in this month’s Patch Tuesday release to 84.
Unfortunately, Outlook has two zero-day flaws (CVE-2023-23397) and Windows (CVE-2023-24880) requires a “Patch Now” release requirement for both Windows and Microsoft Office updates. There have been no Microsoft Exchange Server or Adobe Reader updates since last month.team of the month Application preparation provided useful information Infographic This outlines the risks associated with each update in this cycle.
Each month Microsoft publishes a list of known issues related to the operating systems and platforms included in the update cycle.
- KB5022842: After installing KB5022842 on Windows Server 2022 with Secure Boot enabled and rebooting twice, the VMware VM was unable to boot using the new bootmgr. This issue is still under review by Microsoft. Installing this update may change the behavior of WPF apps.
- Windows Server 2022 may not boot after installing this month’s Windows updates in a guest virtual machine (VM) running Windows Server 2022 on some versions of VMware ESXi.
Microsoft continues to work on network performance issues with Windows 11 22H2. Large (several gigabytes) network file transfers (and potentially equally large local transfers) are affected. This problem mostly affects his IT admin.
Microsoft released four major revisions this month, covering:
- VE-2023-2156: Remote Code Execution Vulnerability in Microsoft SQL Server Integration Service (VS Extension).
- CVE-2022-41099: Title: BitLocker Security Feature Bypass Vulnerability.
- CVE-2023-21716: A remote code execution vulnerability in Microsoft Word.
- CVE-2023-21808 Remote code execution vulnerabilities in .NET and Visual Studio.
All of these revisions are enhancements to the documentation and affected software updates. No further action is required.
Mitigations and Workarounds
Microsoft has published the following vulnerability-related mitigations in this month’s release:
- CVE-2023-23392: A remote code execution vulnerability in the HTTP protocol stack. A prerequisite for Windows 2022 servers to be vulnerable to this security issue is that the network binding has HTTP/3 enabled and the server is using buffered I/O. Enabling HTTP/3 is described below. Enable HTTP/3 support on Windows Server 2022.
- CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Microsoft has published two mitigations for this critical security issue.
- Add the user to the Protected Users security group. This prevents NTLM from being used as an authentication mechanism.
- Use perimeter firewalls, local firewalls, and VPN settings to block TCP 445/SMB outbound from your network.
Each month, the Readiness team analyzes Tuesday’s patch update and provides detailed and actionable testing guidance. This guidance is based on an evaluation of a large application portfolio and a detailed analysis of Microsoft’s patches and their potential impact on Windows platforms and application installations.
Due to the large number of changes included this month, we have grouped the test scenarios into high-risk and standard-risk groups.
Microsoft published several high-risk changes in the March update. A test profile for each update is mandatory, even though it may not lead to a change in functionality.
- Microsoft has updated the method DCOM Respond to remote requests as part of recent enhancements. This process has been ongoing since June 2021 (Phase 1) and will be updated in June 2022 (Phase 2) with all changes implemented as mandatory this month. DCOM is a core Windows component used for communication between services or processes. Microsoft has advised that this (and the full rollout of past recommendations) will introduce application level compatibility issues.The company offers some support what’s changed and How to mitigate compatibility issues As a result of these recent mandatory settings.
- The major changes to the core system file Win32kfull.sys are two features this month (DrvPlgBlt and nf-wingdi-plgblt) The has been updated. Microsoft has advised that there are no functional changes to these features. It is imperative to test applications that rely on these features before fully deploying this month’s update.
These scenarios require significant application-level testing before general deployment.
- Bluetooth: Try adding and removing new Bluetooth devices. It is highly recommended to load the Bluetooth network device.
- Windows Network Stack (TCPIP.SYS): Basic web surfing, “normal” file transfers, and video streaming are sufficient to test changes to the Windows network stack.
- Hyper-V: Try testing both Gen1 and Gen2 virtual machines (VMs). Both types of machines should start, stop, shut down, suspend, and resume gracefully.
In addition to these changes, Microsoft added a key memory feature (D3DKMTCreateDCFromMemory) affects two major system-level Windows drivers (win32kbase.sys and win32kfull.sys).Unfortunately, in past updates of these drivers, some users generated BSOD SYSTEM_SERVICE_EXCEPTION error.Posted by Microsoft Information on how to manage these issuesHopefully you won’t have to deal with such issues this month.
Windows Lifecycle Updates
This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms in the coming months.
- Windows 10 Enterprise (and Education), version 20H2, Windows 10 IoT Enterprise, and Windows version 20H2 will reach end of service on May 9, 2023.
Each month, we categorize our update cycles into product families (as defined by Microsoft), with the following basic groupings:
- Browser (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- microsoft office.
- Microsoft Exchange Server.
- Microsoft development platforms (ASP.NET Core, .NET Core, and Chakra Core).
- Adobe (retired???, maybe next year).
There were 22 updates in March (none were rated as important), 21 in the Google release channel, and 1 (CVE-2023-24892) from Microsoft. All of these updates are easy-to-deploy updates with little to low deployment risk. Microsoft’s version of See these release notes here and the Click here for the Google Desktop Channel release notesAdd these updates to your standard patch release schedule.
Microsoft has released 10 critical updates and 48 patches rated Important for the Windows platform. They cover the following major components:
- Microsoft Printer PostScript Driver.
- Windows Bluetooth service.
- Windows Win32K and Core Graphics Component (GDI).
- Windows HTTP protocol stack and PPPoE.
Other than recent changes to DCOM authentication (see) DCOM hardening) Most of this month’s updates have a very low risk profile. There are minor updates to the printing subsystem (Postscript 6) and other tweaks to networking, storage and graphics components. Unfortunately Windows has a real zero-day problem (CVE-2023-24880) smart screen (aka Windows Defender) has both abuse and public reports. So please add these Windows updates to your “Patch Now” release schedule.
Microsoft has released 11 updates to the Microsoft Office platform. One of them is rated (Very) Critical, the rest are rated Important and affect only Excel and SharePoint. Unfortunately, an update to Microsoft Outlook (CVE-2023-23397) should be patched immediately. We have included the recommendations provided by Microsoft in the mitigation section above. This includes adding the user to a higher security group and blocking port 445/SMB on your network. Given the low risk of breaking other apps and the ease of deploying this patch, I have another idea. Add these Office updates to the “Patch Now” release schedule.
Microsoft Exchange Server
No updates to Microsoft Exchange are required this month. However, Microsoft Outlook (CVE-2023-23397) That’s enough for the mail admins to handle this month.
Microsoft development platform
This is a very light patch cycle for the Microsoft development platform, with only 4 updates to Visual Studio (GitHub extension) this month. All of these updates are rated Important by Microsoft and have a very low risk profile for deployment. Add these updates to the standard developer release schedule.
Adobe Reader (still here, but not this month)
Adobe hasn’t released any updates for Adobe Reader, so we could be seeing a trend here. It’s also interesting that this is his first month in nine months that Microsoft hasn’t released a significant update to his XPS, PDF, or printing systems. Therefore, no mandatory printer test is required.
Copyright © 2023 IDG Communications, Inc.