Patch now to address a Windows zero-day
Microsoft has addressed 97 existing vulnerabilities this April Patch Tuesday, with a further eight previously released patches updated and re-released. There have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, making it a “Patch Now” release.
This update cycle affects Windows desktops, Microsoft Office, and Adobe Reader. No updates for Microsoft Exchange this month. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this April update cycle.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.
And for those gaming cowboys out there, it appears that Red Dead Redemption 2 is dead on arrival — at least for this April update. For those IT administrators who copy large files on Windows 11 systems (we know who you are), you are just going to have to wait (a little longer), as there is still a buffering problem for multigigabit network transfers on Microsoft’s latest desktop OS.
This month Microsoft has published several major revisions for previous updates including:
Microsoft has published the following vulnerability related mitigations for this month’s April Patch Tuesday release cycle:
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows desktop platforms and application installations.
Given the large number of changes included in this April patch cycle, I have broken down the testing scenarios into standard and high-risk profiles.
Microsoft has made some significant changes to how the SQLOLEDB component functions. SQLOLEDB is a core Microsoft component that handles SQL to OLE API calls. This is not the first time that this key data-focused component has been patched by Microsoft, with a major update just last September. The Assessment team at Readiness highly recommends an application portfolio scan for all applications (and their dependencies) that include references to the Microsoft library SQLOLEDB.DLL. Scanning application packages for ODBC references will raise a lot of “noise” and so the library dependency check is preferred in this instance. Once done, database connectivity tests should be conducted, and we suspect (most importantly) that these tests should be done over a VPN or a less stable internet connection.
All these (both standard and high-risk) scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to the SQL connectivity testing requirements, we also suggest the following “smoke” tests for your systems:
We also must consider the latest update for Adobe Reader this month, so please include a printing test in your deployment effort.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
This April patch cycle sees the return of patches to the Microsoft Edge browser platform with just three updates (CVE-2023-28284, CVE-2023-24935, and CVE-2023-28301), all rated as low by Microsoft. In addition, Microsoft has published 14 Chromium Edge browser updates, which should have minimal deployment risks. Add these updates to your standard patch release schedule.
If you have the time, there is a great post from the Chromium project group on how they are improving the performance of all Chromium browsers.
This April, Microsoft released seven critical updates and 71 patches rated as Important to the Windows platform that cover the following key components (for the critical updates):
Unfortunately, this month there have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, adding to our zero-day count. Add this update to your “Patch Now” release schedule.
No critical updates for the Microsoft Office product group this month. Microsoft has provided five updates rated as Important to Microsoft Publisher and SharePoint addressing spoofing and remote code execution security vulnerabilities. Add these Office updates to your standard release schedule.
It is said that April is the cruellest month, but I am not so sure, as there are no updates from Microsoft for the Microsoft Exchange Server product group this month. This should put some spring in your step.
Microsoft has released just six updates to Visual Studio and .NET (6.X/7.x) for this April patch cycle. These patches address vulnerabilities with low or important ratings by Microsoft and therefore can be added to your standard developer release schedule.
We have Adobe Reader updates for this April update cycle. I really thought that we were done with Reader updates, but here we are with a Priority 3 (the lowest rating from Adobe) update (APSB 23-24) that affects all versions of Adobe Reader and addresses several memory leak security vulnerabilities. Add this update to your standard third-party application deployment effort.