With this month’s Patch Tuesday replace, Microsoft addressed 130 safety vulnerabilities, printed two advisories, and integrated 4 main CVE revisions. We even have 4 zero-days to regulate for Home windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Home windows platform right into a “patch now” agenda.
It will have to be more straightforward to concentrate on Microsoft Workplace and Home windows trying out this month, as we should not have any Adobe, Change, or browser updates. Be sure you moderately assessment Microsoft’s Storm 0978 because it supplies particular, actionable steerage on managing the intense HTML vulnerability in Microsoft Workplace (CVE-2022-38023).
The Readiness group has crafted this helpful infographic to stipulate the hazards related to every of the updates.
Recognized problems
Microsoft every month lists identified problems that relate to the running formulation and platforms integrated in the newest replace cycle.
- After putting in this replace on visitor digital machines (VMs) operating Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 would possibly now not get started up. Handiest Home windows Server 2022 VMs with Safe Boot enabled are affected. Microsoft and VMware are investigating the issue and can be offering additional info when it is to be had.
- The usage of provisioning applications on Home windows 11, model 22H2 would possibly now not paintings as anticipated. Home windows would possibly handiest be partly configured, and the out-of-box revel in would possibly now not end or would possibly restart impulsively.
Primary revisions
Microsoft has printed two main revisions:
- CVE-2022-37967: Home windows Kerberos Elevation of Privilege Vulnerability (4th replace). This updates eliminates the facility to set price 1 for the KrbtgtFullPacSignature subkey, and permit the Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can also be overridden through an Administrator with an particular Audit environment. No additional motion is needed in case you observe this month’s replace.
- CVE-2022-38023: Netlogon RPC Elevation of Privilege Vulnerability. The (earlier) April 2023 updates take away the facility to disable RPC sealing through setting value 0 to the RequireSeal registry subkey.
Mitigations and workarounds
Microsoft printed the next vulnerability-related mitigations for this unencumber:
- CVE-2023-32038: Microsoft ODBC Driving force Far flung Code Execution Vulnerability. Microsoft recommends that in case you handiest connect with identified, relied on servers — and if there’s no skill to reconfigure current connections to indicate to every other location — this vulnerability can’t be exploited.
- CVE-2023-36884: Workplace and Home windows HTML Far flung Code Execution Vulnerability (some of the zero-day exploits this cycle). Microsoft notes that if you’re the usage of Microsoft Defender you might be secure. For extra cynical/jaded/skilled execs, we propose that you simply (moderately) learn the Risk Intelligence submit (Storm-0978).
- CVE-2023-35367, CVE-2023-35366 and CVE-2023-35365: Home windows Routing and Far flung Get admission to Carrier (RRAS) Far flung Code Execution Vulnerability. In the event you don’t seem to be the usage of (and feature now not put in) Microsoft’s Routing and Far flung Get admission to Services and products (RRAS), you don’t seem to be liable to this exploit.
Trying out steerage
Each and every month, the Readiness group supplies detailed, actionable trying out steerage for the newest updates. This steerage is in line with assessing a big utility portfolio and an in depth research of the Microsoft patches and their attainable have an effect on at the Home windows platforms and alertness installations.
In case you have hired inside internet or utility servers, it’ll be price trying out the HTTP3 protocol — particularly the usage of Microsoft Edge. Along with this protocol dealing with replace, Microsoft made an important collection of adjustments and updates to the networking stack requiring the next trying out:
- Take a look at your RRAS router with UDP, pingback and traceroute instructions whilst including and deleting routing desk entries.
- Make certain that your area servers behave as anticipated with full enforcement mode enabled.
Given the huge collection of system-level adjustments this month, I’ve divided the trying out situations into usual and high-risk profiles.
Top threat
For the reason that this replace comprises fixes for 4 (some say 5) zero-day flaws, we have now two primary drivers of alternate this month: key capability adjustments in core techniques and an pressing want to ship updates. Microsoft has documented that two core spaces had been up to date with important capability adjustments, together with printing and the native community stack (with a focal point on routing). In consequence, the next trying out will have to be integrated earlier than basic deployment:
- Printing: test your native printers, as key driving force dealing with has been up to date.
- Make certain that your DNS server zones are nonetheless functioning as anticipated after this replace
Usual threat
The next adjustments had been integrated this month and feature now not been raised as both excessive threat (with sudden results) and don’t come with purposeful adjustments.
- Home windows Hi will want trying out to incorporate Lively Listing (in addition to Azure AD) Unmarried-Signal-on (SSO).
- Take a look at your faraway desktop (RDP) connections with and with out Microsoft’s RD Gateway and make sure you see the proper point of certificates warnings (or now not, if already omitted).
- (For IT admins) Take a look at your Home windows Error logs (center of attention on carrier hangs) with a Create/Learn/Replace/Delete/Lengthen (CRUDE) take a look at.
- Take a look at your encryption and crypto configuration situations. Particularly Kerberos for your area controllers and key isolation.
- Take a look at your backups. You would not have to fret about your restoration media this time.
These types of trying out situations would require important application-level trying out earlier than a basic deployment. Given the adjustments integrated on this month’s patches, the Readiness group recommends that the followings exams be carried out earlier than basic deployment:
- Set up, replace, and uninstall your core line of industrial programs.
- Test your (native) printer drivers.
- Validate your VBScripts and UI automation equipment (as OLE was once up to date this month, see CComClassFactorySingleton).
- Take a look at audio/video streaming after which Microsoft Groups (because of its uploads/downloads and message queuing necessities).
This month is also a bit of tricky to check your Microsoft Workplace automation/scripts and integration with third-party programs because of the alternate in OLE and the way Microsoft has addressed CVE-2023-36884. We advise a complete take a look at of Excel macros (in the event that they use OLE/COM/DCOM) and any VBS scripts that come with Phrase.
Home windows lifecycle replace
Listed below are the necessary adjustments to servicing (and maximum safety updates) to Home windows desktop and server platforms.
- Home windows 11, model 21H2, will achieve finish of servicing on Oct. 10, 2023. This is applicable to the next editions launched in October 2021: Home windows 11 House, Professional, Training, Professional for Workstations.
Each and every month, we damage down the replace cycle into product households (as outlined through Microsoft) with the next elementary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Workplace;
- Microsoft Change Server;
- Microsoft Construction platforms (ASP.NET Core, .NET Core and Chakra Core);
- And Adobe (retired???, perhaps subsequent yr).
Browsers
Exhausting to imagine, however there are not any browser updates on this replace cycle. And we do not see anything else coming down the pipeline for a mid-cycle unencumber both. It is a giant alternate and an enormous growth from the times of enormous, complicated, and pressing browser updates. Move Microsoft!
Home windows
Microsoft launched 8 crucial updates and 95 patches rated as necessary to the Home windows platform, protecting those key parts:
As discussed within the Microsoft Workplace segment above, we really feel the point of interest this month will have to be at the quick solution of CVE-2023-36884. Regardless that rated as necessary through Microsoft (sorry to be contrarian), we really feel that since it’s been each publicly disclosed and exploited it will have to be handled as pressing. Coupled with the opposite Home windows zero-day (CVE-2023-32046) this brings all of the Home windows replace crew into the “Patch Now” agenda for our purchasers. As soon as the screaming stops, you’ll be able to take a while to try the Windows 11 release video; we discover it calming.
Microsoft Workplace
We want to speak about Microsoft Workplace. Regardless that there are two crucial rated updates for SharePoint (CVE-2023-33157 and CVE-2023-33160) and 14 updates rated necessary through Microsoft, the elephant within the room is CVE-2023-36884 (Workplace and HTML RCE Vulnerability). This vulnerability has been each publicly disclosed and documented as exploited. Formally, this replace belongs within the Home windows crew, however we imagine that the real have an effect on lies in how Microsoft Workplace offers with HTML information (transmit/retailer/compute). CVE-2023-36884 without delay impacts Workplace and your trying out regime will have to replicate this.
Upload those Workplace updates on your usual unencumber agenda, noting that your Workplace patch trying out regime will want to be paired along with your Home windows replace unencumber agenda.
Microsoft Change Server
A lot to all our excellent fortune, there are not any updates for Microsoft Change Server this month.
Microsoft construction platforms
In comparison to the very severe (and a lot of) exploits in Workplace and Home windows this month, there are handiest 5 updates affecting Visible Studio, ASP.NET and a minor element of Mono (the pass platform C# implementation). These types of patches are rated necessary through Microsoft and will have to be added on your usual developer unencumber agenda.
Adobe Reader (nonetheless right here, simply now not this month)
Extra excellent information: there are not any updates from Adobe or different third-party distributors on this replace.
Copyright © 2023 IDG Communications, Inc.