June's Patch Tuesday updates focus on Windows, Office
Microsoft released 73 updates to its Windows, Office, and Visual Studio platforms on Patch Tuesday, with many of them dealing with core, but not urgent, security vulnerabilities. That’s a welcome respite from the previous six months of urgent zero-days and public disclosures. With that in mind, the Readiness testing team suggests a focus on printing and backup/recovery processes to make sure they’re not affected by this update cycle.
For the first time, we see a (non-Adobe) third-party vendor added to a Patch Tuesday release, with three minor plugin updates to Visual Studio for AutoDesk. Expect to see more such vendors added to Microsoft’s updates in the near future. The team at Readiness has created a useful infographic that outlines the risks associated with each of the updates.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms in the current update cycle.
At present, we do not have any insights into an out-of-bounds or early update schedule from Microsoft for both the Server 20222/VMWare and the third-party UI issues. These issues are serious, so we expect a response from Microsoft soon.
The following common vulnerabilities and exposures (CVEs) were recently revised in the Microsoft Security Update Guide:
Microsoft published these vulnerability related mitigations for this month’s release:
Each month, the team at Readiness analyses the latest Patch Tuesday updates to develop detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given the large number of system-level changes included in this cycle, the testing scenarios are divided into standard and high-risk profiles.
Very much like the core security changes related to the waySQL queries are handled on desktop systems, Microsoft has made a fundamental update to how certain rendering APIs are handled with a new set of security restrictions. This is a key requirement to separate user mode and kernel printer driver requests. These are not new APIs or new features, but a hardening of existing API callback routines. This is a big change and will require a full printer testing regime, including:
The following changes included in this month’s update are not seen as at high risk for unexpected outcomes and do not include functional changes:
Microsoft is now disallowing avoidlowmemory and truncatememory BCD options when Secureboot is on. In addition, Microsoft is blocking boot loaders that have not been updated with the May 2023 update.
Note: Your recovery options will be severely limited unless your recovery images have this vital May 2023 update applied as well. For this specific boot process change, the Readiness team recommends the following testing regime.
Do update your recovery media as soon your testing regime is complete.
All these (both standard and high-risk) testing scenarios will require significant app-level testing before general deployment. Given the nature of changes included in this month’s patches, the Readiness team recommends the following tests before deployment:
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds. However, for line-of-business applications, getting the application owner (doing UAT) to test and approve the results is absolutely essential.
Windows lifecycle update
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft released four low-priority updates for Edge with a further 14 patches released to the Chromium platform (on which Edge is built). We have not seen reports of public disclosures or exploits. That said, there are several outstanding security fixes that have not been fully addressed and published. So, we may see an update for the Chromium/Edge project later this month. Add these updates to your standard patch release schedule.
This month, Microsoft released four critical updates and 33 patches rated important to the Windows platform; they cover these key components:
This is a moderate update for the Windows desktop and server platform and should be seen as a welcome break from the recent serious exploits (both publicly disclosed and exploited). As noted in May and included in this month’s guidance, the focus should be on testing backup and recovery processes. Add this update to your “Patch Now” release schedule.
Microsoft delivers one critical update to its Office platform with a patch to SharePoint Enterprise server. The remaining 11 updates affect Microsoft Outlook, Excel, and OneNote. These are all relatively low-profile vulnerabilities that might affect Mac users more than Windows users. Add these Office updates to your standard release schedule.
Microsoft released two updates for Microsoft Exchange Server (CVE-2023-28310 and CVE-2023-32031) both rated important. These security vulnerabilities require internal authentication and have official/confirmed fixes from Microsoft. There have been no reports of exploits or public disclosures for either issue. Even though updating Exchange Server is a bit of a pain, you can add these two updates to your standard release schedule for this month.
June delivers a cornucopia of patches to the Microsoft development platform, with a single critical update to .NET, a healthy helping of 22 updates rated as important to Visual Studio, one (low rated) update to a Sysinternals tool, and a moderate (how unusual!) update to older non-supported versions of .NET. At first glance, our team thought this would be a big update with a large testing profile. After some examination, this is more of a “corporate hygiene” exercise for Microsoft with a clean-up of small patches to their core development tools.
Add these updates to your standard developer release schedule.
Adobe Reader (we have a guest: AutoDesk)
No updates from Adobe for Reader or Acrobat this month. But, as luck (or bad luck) would have it, we have another “A” to worry about. The introduction of Microsoft’s support for external CNA’s (CVE Numbering Authority) in January allowed for third-party applications to be included in Microsoft updates. Microsoft has previously only included Adobe. This month changes all that, with the introduction of three CVE’s for AutoDesk.
These three reported vulnerabilities (CVE-2023-27911, CVE-2023-27910 and CVE-2023-27909), though developed by Autodesk, are actually plugins for (an older, non-supported) version of Microsoft Visual Studio. That’s why these three issues have been included in this month’s Patch Tuesday release. Add these updates to your standard “third-party” update release schedule. If you didn’t have one before, now you do.
Happy Patching.