Patch Office and Windows now to resolve two zero-days

Microsoft has resolved 80 new CVEs this month in addition to four earlier CVEs, bringing the number of security issues addressed in this month’s Patch Tuesday release to 84. 

Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a “Patch Now” release requirement for both Windows and Microsoft Office updates. As it was last month, there were no further updates for Microsoft Exchange Server or Adobe Reader. This month the team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this cycle.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the update cycle.

Microsoft is still working on a network performance issue with Windows 11 22H2. Large (multi-gigabyte) network file transfers (and potentially similarly large local transfers) are affected. This issue should mainly affect IT administrators.

Major revisions

Microsoft published four major revisions this month covering:

All of these revisions were due to documentation and expanded affected software updates. No further action is required.

Microsoft published the following vulnerability related mitigations for this month’s release:

Each month, the team at Readiness analyzes the Patch Tuesday updates and provides detailed, actionable testing guidance; that guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups.

Microsoft published several high risk changes in the March update. While they may not lead to functionality changes, the testing profile for each update should be mandatory:

These scenarios require significant application-level testing before general deployment.

In addition to these changes, Microsoft updated a key memory function (D3DKMTCreateDCFromMemory) that affects two key system-level Windows drivers (win32kbase.sys and win32kfull.sys). Unfortunately, in past updates to these drivers, some users have generated BSOD SYSTEM_SERVICE_EXCEPTION errors. Microsoft has posted information on how to manage these issues. Hopefully you don’t have to resolve these kinds of issues this month.

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms over the next few months:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

There were 22 updates for March (none rated critical), with 21 included in the Google release channel and one (CVE-2023-24892) from Microsoft. All these updates are easy-to-deploy updates with marginal to low deployment risk. You can find Microsoft’s version of these release notes here and the Google Desktop channel release notes here. Add these updates to your standard patch release schedule.

Microsoft released 10 critical updates and 48 patches rated as important to the Windows platform that cover the following key components:

Other than the recent change to DCOM authentication (see DCOM hardening) most of this month’s updates have a very low risk profile. We have a minor update to a printing subsystem (Postscript 6) and other tweaks to network handling, storage, and graphics components. Unfortunately, we have a real zero-day issue with Windows (CVE-2023-24880) SmartScreen (aka Windows Defender) with reports of both exploitation and a public disclosure. As a result, add these Windows updates to your “Patch Now” release schedule.

Microsoft released 11 updates to the Microsoft Office platform with one rated as (super) critical and the remaining updates rated important and affecting just Excel and SharePoint. Unfortunately, the Microsoft Outlook update (CVE-2023-23397) will have to be patched immediately. I have included recommendations offered by Microsoft in our mitigations section above which include adding users to a higher security group and blocking ports 445/SMB on your network. Given the low risk of breaking other apps and the ease of deployment of this patch, I have another idea: add these Office updates to your “Patch Now” release schedule.

No Microsoft Exchange updates required this month. That said, there is a particularly worrying issue with Microsoft Outlook (CVE-2023-23397) that will be enough for any mail administrator to handle this month.

This is a very light patch cycle for Microsoft development platforms with just four updates to Visual Studio (GitHub extensions) this month. All these updates are rated as important by Microsoft and have a very low deployment risk profile. Add these updates to your standard developer release schedule. 

We may be seeing a trend here as Adobe has not released any updates for Adobe Reader. It is also interesting that this is the first month in nine that Microsoft has not released any critical updates to its XPS, PDF or printing system. So, no mandatory printer testing is required.