Two zero days to fix Patch Office and Windows now

Microsoft has addressed 80 new CVEs this month, in addition to the previous four CVEs, bringing the number of security issues addressed in this month’s Patch Tuesday release to 84.

Unfortunately, we have two zero-point vulnerabilities in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require the Patch Now release for both Windows and Microsoft Office updates. As with last month, there were no other updates for Microsoft Exchange Server or Adobe Reader. This month, the Application Readiness team provided a helpful infographic that describes the risks associated with each update in this cycle.

Known issues

Each month, Microsoft includes a list of known issues that apply to the operating system and platforms included in the update cycle.

  • KB5022842. After installing KB5022842 on Windows Server 2022 with Secure Boot enabled and restarted twice, the VMware VM failed to boot with the new bootmgr. This issue is still under discussion by Microsoft. After you install this update, the behavior of WPF applications may change.
  • After you install this month’s Windows Update on some versions of VMware ESXi on guest virtual machines (VMs) running Windows Server 2022, Windows Server 2022 may fail to start.

Microsoft is still working on a network performance issue with Windows 11 22H2. Large (multi-gigabyte) network file transfers (and potentially similarly large local transfers) are affected. This issue should primarily affect IT administrators.

Major revisions

Microsoft released four major revisions this month, which included:

  • VE-2023-2156. Remote code execution vulnerability in Microsoft SQL Server Integration Service (VS extension).
  • CVE-2022-41099. Title: BitLocker security feature bypass vulnerability.
  • CVE-2023-21716. Remote code execution vulnerability in Microsoft Word.
  • CVE-2023-21808 .NET and Visual Studio remote code execution vulnerability.

All of these revisions were driven by documentation and enhanced software updates. No further action is required.

Mitigations and Solutions

Microsoft has released the following vulnerability mitigations for this month’s release:

  • CVE-2023-23392. A remote code execution vulnerability in the HTTP protocol stack. A prerequisite for Windows 2022 Server to be vulnerable to this security issue is that HTTP/3 is enabled on the network connection and the server uses buffered I/O. Enabling HTTP/3 is discussed here: Enabling HTTP/3 support in Windows Server 2022.
  • CVE-2023-23397. Microsoft Outlook Elevation of Privilege Vulnerability. Microsoft has released two mitigations for this serious security issue.
  1. Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism.
  2. Block TCP 445/SMB egress from your network using a perimeter firewall, local firewall, and your VPN settings.

Test Guide

Each month, the Readiness team analyzes Patch Tuesday updates and provides detailed, actionable testing guidance. that guidance is based on an evaluation of a large portfolio of applications and a detailed analysis of Microsoft’s patches and their potential impact on Windows platforms and application installations.

Given the large number of changes covered this month, I’ve divided the testing scenarios into high-risk and standard-risk groups.

High risk

Microsoft released some high-risk changes in the March update. Although they may not result in changes to functionality, a test profile should be mandatory for each update;

  • Microsoft has updated how DCOM responds to remote requests as part of a recent hardening effort. This process has been in place since June 2021 (Phase 1), updated in June 2022 (Phase 2) and now this month, all changes are mandatory. DCOM is a core Windows component used to communicate between services or processes. Microsoft has advised that this (and full implementation of previous recommendations) will cause application-level compatibility issues. The company has offered some support on what’s changing and how to mitigate compatibility issues as a result of these latest mandatory settings.
  • A major change to the Win32kfull.sys core system file was included this month as two functions (DrvPlgBlt and nf-wingdi-plgblt) were updated. Microsoft has advised that there are no functional changes to these features. Testing apps that depend on these features will be important before this month’s updates are fully deployed.

These scenarios require significant application-level testing before general deployment.

  • Bluetooth. Try adding and removing new Bluetooth devices. It is highly recommended to highlight Bluetooth network devices.
  • Windows Network stack (TCPIP.SYS). Basic web browsing, “normal” file transfers, and video streaming should be enough to test for changes to Windows’ network stack.
  • Hyper-V. Try testing Gen1 and Gen2 virtual machines (VMs). Both types of machines must be started, stopped, shut down, stopped, and restarted successfully.

In addition to these changes, Microsoft has updated the core memory function (D3DKMTCreateDCFromMemory) that affects two core system-level Windows drivers (win32kbase.sys and win32kfull.sys). Unfortunately, some users experienced BSOD SYSTEM_SERVICE_EXCEPTION errors during previous updates to these drivers. Microsoft has published information on how to manage these issues. Hopefully you won’t have to deal with these types of issues this month.

Windows Lifecycle Update

This section contains important maintenance changes (and most security updates) for Windows desktop and server platforms over the next few months.

  • Windows 10 Enterprise (and Education), Version 20H2 and Windows 10 IoT Enterprise and Windows Version 20H2 will end on May 9, 2023.

Each month we divide the update cycle into the following main groupings of product families (as defined by Microsoft):

  • Browsers (Microsoft IE and Edge).
  • Microsoft Windows (both desktop and server).
  • Microsoft Office.
  • Microsoft Exchange Server.
  • Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core).
  • Adobe (retirement ???, maybe next year).

Browsers

For March, there were 22 updates (none rated critical), 21 of which were included in the Google release channel and one (CVE-2023-24892) from Microsoft. All of these updates are easy-to-deploy updates with less than marginal deployment risk. You can find the Microsoft version of these release notes here, and the Google Desktop channel release notes here. Add these updates to your standard patch release schedule.

Windows:

Microsoft has released 10 critical updates and 48 patches rated critical for the Windows platform, which include the following key components:

  • Microsoft Printer Postscript Drivers.
  • Windows Bluetooth service.
  • Windows Win32K and Core Graphics components (GDI).
  • Windows HTTP Protocol Stack and PPPoE.

Aside from the recent DCOM authentication change (see DCOM Hardening), most of this month’s updates have a very low risk profile. We have a minor update to the printing subsystem (Postscript 6) and other changes to network processing, storage, and graphics components. Unfortunately, we have zero actual issues with Windows (CVE-2023-24880) SmartScreen (aka Windows Defender) with both exploit and public disclosure reports. As a result, add these Windows updates to your Patch Now release schedule.

Microsoft Office

Microsoft has released 11 updates to the Microsoft Office platform, one of which is rated as (super) critical, and the rest of the updates are rated critical and affect only Excel and SharePoint. Unfortunately, the Microsoft Outlook update (CVE-2023-23397) should be patched immediately. I’ve included Microsoft’s recommendations in our mitigations section above, which include adding users to a higher security group and blocking ports 445/SMB on your network. Given the low risk of crashing other apps and the ease of installing this patch, I have another idea. add these Office updates to your Patch Now release schedule.

Microsoft Exchange Server

No Microsoft Exchange updates are required this month. However, there is a particularly troubling issue with Microsoft Outlook (CVE-2023-23397) that will be enough for any mail administrator to deal with this month.

Microsoft development platforms

This is a very light patch cycle for Microsoft development platforms, with only four updates to Visual Studio (GitHub Extensions) this month. All of these updates have been rated critical by Microsoft and have a very low deployment risk profile. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but not this month)

We can see a trend here as Adobe has not released any updates for Adobe Reader. It’s also interesting that this is the first month in nine months that Microsoft hasn’t released any major updates to its XPS, PDF, or printing system. Thus, no mandatory printer testing is required.

Copyright © 2023 IDG Communications, Inc.

Source link