With its August Patch Tuesday unencumber, Microsoft driven out 90 updates for the Home windows and Administrative center platforms. The newest fixes come with some other replace for Microsoft Change (in conjunction with with a caution about failed updates to Change Server 2016 and 2019) and a “Patch Now” advice from us for Administrative center.
The group at Application Readiness has crafted this useful infographic outlining the dangers related to each and every of the updates for this month.
Identified problems
Every month, Microsoft features a checklist of identified problems affecting the newest replace cycle. For August, they come with:
- After putting in this replace on visitor digital machines (VMs) working Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 may now not get started up. Microsoft and VMware are each investigating the problem.
- Provisioning applications on Home windows 11 model 22H2 (also known as Home windows 11 2022 Replace) may now not paintings as anticipated. Home windows may best be in part configured, and the out-of-box enjoy may now not end or may restart all of a sudden. Provisioning the Home windows instrument ahead of upgrading to Home windows 11 model 22H2 must save you the problem.
Sadly for the ones nonetheless the use of Windows Server 2008 ESU, this month’s replace may fail utterly with the message, “Failure to configure Home windows updates. Reverting Adjustments. Don’t flip off your pc.” Microsoft provides some advice on ESU updates, however chances are you’ll in finding it’s a must to wait a short time ahead of you are able to effectively replace legacy Change servers. Sorry about that.
Main revisions
Microsoft has revealed those main revisions overlaying:
- ADV190023: Microsoft Steering for Enabling LDAP Channel Binding and LDAP Signing. This newest replace provides the aptitude to permit CBT occasions 3074 & 3075 with match supply **Microsoft-Home windows-ActiveDirectory_DomainService** within the Listing Carrier match log.
- ADV230001: Steering on Microsoft Signed Drivers Being Used Maliciously. Microsoft has introduced that the Aug. 8 Home windows Safety updates (see Safety Updates desk) upload further untrusted drivers and driving force signing certificate to the Home windows Driving force.STL revocation checklist.
- CVE-2023-29360: Microsoft Streaming Carrier Elevation of Privilege Vulnerability. Microsoft has corrected CVE titles and up to date a number of CVSS ratings for the affected merchandise.
- CVE-2023-35389: Microsoft Dynamics 365 On-Premises Faraway Code Execution Vulnerability. On this newest replace, Microsoft got rid of Microsoft Dynamics 365 (on-premises) model 9.1, as it isn’t suffering from the vulnerability. That is an informational exchange best. No additional motion required.
Mitigations and workarounds
Microsoft revealed the next vulnerability-related mitigations for this unencumber cycle:
- CVE-2023-35385: Microsoft Message Queuing Faraway Code Execution Vulnerability. The Home windows message queuing provider, which is a Home windows part, must be enabled for a device to be exploitable by means of this vulnerability. Take a look at to peer whether or not there’s a provider working named Message Queuing and TCP port 1801 is listening at the gadget.
- CVE-2023-36882: Microsoft WDAC OLE DB supplier for SQL Server Faraway Code Execution Vulnerability. Microsoft provides the next mitigation recommendation for this severe vulnerability: “In case your atmosphere best connects to identified, relied on servers and there’s no talent to reconfigure current connections to indicate to some other location (for instance you employ TLS encryption with certificates validation), the vulnerability can’t be exploited.”
Checking out steerage
Every month, the Readiness group analyzes the newest Patch Tuesday updates and gives detailed, actionable checking out steerage. This steerage is according to assessing a big software portfolio and an in depth research of the patches and their attainable have an effect on at the Home windows platforms and app installations.
Given the numerous selection of adjustments integrated this month, I have damaged down the checking out eventualities into high-risk and standard-risk teams:
Top menace
As all of the high-risk adjustments impact the Microsoft Home windows core kernel and inner messaging subsystem (although we’ve got now not observed any revealed capability adjustments), we strongly counsel the next targeted checking out:
- There were various vital updates to the Microsoft Message Queue (MSMQ). This may impact servers that depend on triggers, routing products and services, and multicasting toughen. Our expectation is that internally evolved line-of-business shopper/server programs are possibly to be affected and subsequently want greater consideration and checking out this month.
Same old menace
- Home windows error reporting has been up to date, so it is very important do a “CRUD” check for your Home windows Commonplace Log Document Device (CLFS) logs.
- A gaggle coverage refresh must be integrated on this checking out cycle because of adjustments within the NT consumer coverage (each consumer and gadget) information. Because of API adjustments on this function, you may also wish to test report paths on your resultant log information.
- Microsoft’s Crypto (CNG) APIs were up to date, so good card installations would require checking out.
- ODBC programs would require checking out once more this month because of an replace to the SQLOLEDB libraries.
And this is one for Home windows targeted IT directors: Microsoft has up to date the WinSAT API. This instrument is described by means of Microsoft:
“The Home windows Device Evaluation Software (WinSAT) exposes various categories that assess the efficiency traits and functions of a pc. Builders can use this API to expand instrument that may get entry to the efficiency and capacity knowledge of a pc to decide the optimum software settings according to that pc’s efficiency functions.”
A majority of these eventualities would require vital application-level checking out ahead of normal deployment. Along with those particular checking out necessities, we recommend a normal check of the next printing options:
- Replace all of your print servers and validate that the printer control instrument behaves as anticipated whilst working print jobs.
- Uninstall any print control instrument after an replace to make sure that your server remains to be working as anticipated.
- Check all printer producer varieties, the use of each native and far off printer exams.
Computerized checking out will assist with those eventualities (particularly a checking out platform that provides a “delta” or comparability between builds). On the other hand, on your line-of-business programs, getting the app proprietor (doing UAT) to check and approve the effects is admittedly crucial.
Every month, we destroy down the replace cycle into product households (as outlined by means of Microsoft) with the next elementary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Administrative center;
- Microsoft Change Server;
- Microsoft Construction platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (nonetheless right here, however with some other A).
Browsers
Proceeding a welcome development, Microsoft launched 11 updates to its Chromium browser initiatives (Edge) and no patches to its legacy browsers. You’ll be able to learn extra about Microsoft Edge unencumber notes here, noting that Chrome/Edge updates have been launched on Monday (Aug. 7) now not the standard “Patch Tuesday.”
Upload those browser updates for your typical patch unencumber time table.
Home windows
Microsoft launched 3 important updates, 32 rated as vital and one rated as reasonable. All (3) of the important updates to the Home windows platform relate to the Home windows Message Queuing (MSMQ). Even though those important updates have a score of 9.8 (that is beautiful excessive), they’ve now not been publicly disclosed or reported as exploited. Now not each and every group will employ the MSMQ function, so for many groups, the checking out profile must be beautiful mild. Upload those Home windows updates for your typical unencumber time table.
Microsoft Administrative center
Microsoft has launched 3 important updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require rapid consideration. Along with those patches, Microsoft has launched 11 updates rated as vital and one rated as reasonable. Those 12 updates impact Microsoft Administrative center generally and Visio. Upload those Administrative center updates for your “Patch Now” unencumber time table.
Microsoft Change Server
Ahead of you do anything else, do not replace your non-English Microsoft Change Servers (2019 and 2016). This month’s replace will fail mid-way thru and go away your server in an “undetermined state.” Now that this has (now not) been accomplished, you’ll be able to attend to the six Change updates (all rated as vital) for this month. No important updates confirmed up, so take your time. Word: a majority of these August patches would require a server reboot. Upload those updates for your typical unencumber time table.
Microsoft building platforms
Microsoft has launched 8 updates to the Microsoft .NET and ASP.NET platforms this month. Those patches have been rated as vital and must be integrated for your typical developer unencumber time table.
Adobe Reader (nonetheless right here, however with some other A)
Adobe is again. And we’ve got some other “A” to fret about (kinda bizarre, huh?). APSB23-30 from Adobe patches a important vulnerability in Adobe Reader — upload it for your “Patch Now” time table. And the opposite “A”? Following the new development of supporting third-party patches within the Microsoft replace unencumber cycle (bear in mind the Autodesk update in June?), Microsoft has launched CVE-2023-20569; it is expounded to an AMD memory-related vulnerability. You’ll be able to learn extra about this at the AMD website here.
Patching? Certain.
Checking out? Now not certain.
Copyright © 2023 IDG Communications, Inc.