This week, 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio were fixed by Microsoft, including three critical zero-day problems that need to be fixed right away.
Microsoft fixed 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio in its May release. Additionally, the urgency of patching Windows' three zero-day vulnerabilities (CVE-2023-24932, CVE-2023-29325, and CVE-2023-29336) this month requires that Microsoft Office and Windows both be updated right away. We advise "Patch Now" for both systems.
For this patch cycle, it is necessary to test Windows secure boot, VPN and remote desktop connections, and the proper handling of document (RTF and DOC) files by Microsoft Outlook. To describe the risks connected with each update for this cycle, the team at Application Readiness created this useful infographic.
Known issues
Microsoft publishes a list of known issues each month for the platforms and operating system covered by the most recent updates. These are for May:
The Best Places to Work in IT in 2024 are now accepting nominations.
Some third-party UI customization apps for Windows devices might not open after installing the April and/or later upgrades. For their separate UI problems, Startallback and ExplorerPatcher have each made a remedy available.
Some editions of VMware ESXi may fail to launch Windows Server 2022 after applying the May update to guest virtual machines (VMs) running Windows Server 2022. Microsoft and VMWare are both engaged in resolution-related work.
The fact that kiosk device profiles are still not automatically signing in is one issue that continues to plague all versions of Windows 10 and has done so for the past three months. Microsoft is developing a patch. Who these days isn't seeking for some redeeming value in game updates? It has recently been claimed that Red Dead Redemption 2 can now launch. Good work.
Major revisions
There haven't been any significant updates to earlier fixes or CVEs this month.
Mitigations and workarounds
Microsoft has not released any more workarounds or mitigations for the fixes this month.
Testing guidance
The Readiness team reviews the most recent Patch Tuesday upgrades each month and offers thorough, practical testing advice. The recommendations are based on an evaluation of a sizable program portfolio and a thorough examination of Microsoft updates and their potential effects on the installation of Windows and applications.)
I have divided the testing scenarios into standard and high-risk profiles due to the significant number of system-level changes included in this cycle.
High risk
This month, Microsoft made a lot of modifications to the TPM Module, especially to Secure Boot and BitLocker. For this upgrade, the Readiness team proposes doing the following fundamental tests:
With Secure Boot and BitLocker enabled, target systems should boot as expected.
BitLocker should be enabled and Secure Boot should be off when systems boot (successfully).
Try out these boot scenarios: DVD, USB, and ISO all boot.
After you have updated the secure boot system, test your backups.
Once the update has been installed, make sure that OS file system restores function as planned.
As a result of the May Patch Tuesday update, we are dubious of the reliability of recovery media. If you created your boot recovery media on a system before this upgrade, it may or may not work. You must make sure that full backups are finished and tested after you have completed this update. Both Windows Server 2022 and Windows 11 (22H2) desktops are impacted by this scenario.
Standard risk
The following updates in this month's update have not been flagged as high risk changes or as including functional adjustments.
Utilize the Microsoft LDAP Connect/Bind Command to test your apps. Try it both with and without SLL.
WIN32K, a crucial system file. A SYS upgrade may have an impact on application menus.
Apps that configure or set up monitors should be tested.
Install and activate Defender Application Guard on your VMs and test them.
Check your connectivity to your edge servers over a VPN if you have deployed Microsoft QUIC. This should cover email, file uploads, web browsing, and streaming video.
Before wide-scale deployment, each of these testing scenarios needs intensive application-level testing. The Readiness team advises that you: given the nature of the changes in these patches,
Utilizing SSTP, test your VPN and remote desktop connections.
Test the audio and mouse Bluetooth devices.
On an NFS share, you can create, read, update, and remove files.
Test local and remote printing jobs.
These cases will benefit from automated testing, particularly when utilizing a testing platform that provides a "delta" or comparison between builds. This is still crucial for line-of-business applications that require the application owner to evaluate and accept the test findings (during UAT).
Windows lifecycle update
Important updates to servicing (including the majority of security updates) for Windows desktop and server platforms are included in this section.
As of May 9, all versions of Windows 10 version 20H2 are no longer supported.
On June 13, Windows 10 version 21H2 will no longer be supported. The following editions of Windows 10 21H2 will continue to get support from Microsoft: Windows 10 Enterprise and Education, Windows 10 IoT Enterprise, and Windows 10 Enterprise multi-session.
We categorize the update cycle into product families (as specified by Microsoft) each month, using the following standard divisions:
Microsoft Windows (desktop and server), Microsoft Office, Microsoft Exchange Server, Microsoft Development platforms (ASP.NET Core,.NET Core, and Chakra Core), and Adobe (retired?, perhaps next year). Browsers (Microsoft IE and Edge).
Browsers
Microsoft updated its browser lineup with 11 discrete changes, all of which were deemed crucial. As part of the February Windows security update ("B" release), the retired out-of-support Internet Explorer 11 desktop program was permanently disabled for those still utilising the older code base (IE). These upgrades should be included in your regular patch release schedule.
Windows
Microsoft delivered 22 patches rated crucial for the Windows platform this month, including five critical upgrades that cover the following essential areas:
Lightweight Directory Access Protocol (Windows LDAP).
Network File System for Windows.
PGM as well as the Windows Secure Socket Tunneling Protocol (SSTP).
At first sight, the May Windows release appeared to be very light, with fewer critical updates than usual. A staged release is necessary because to the complexity of the vulnerability that Microsoft discovered and fixed in the Windows secure boot procedure. Microsoft cautions that this flaw, known as CVE-2023-24932, enables "attackers to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled."
Your safe boot procedure has been compromised. You heard that right. Black Lotus is to blame. Boot media must be carefully examined; otherwise, "bricked" servers are a serious risk, as was indicated in the testing guidance section above. Before continuing, see this revised advice for CVE-2023-24932. You may get more information about the Black Lotus campaign here.
The "Patch Now" release schedule should include this update.
Microsoft Office
This month, Microsoft issued one important update for SharePoint Server. Six additional significant upgrades for Word, Excel, and Teams were also released. To address a critical elevation of privilege (EOP) vulnerability, Microsoft Outlook (CVE-2023-29324) with an updated patch (to an earlier mitigation) needs to be the main focus. Microsoft explained this significant security problem in an update(d) mitigation document.
Although the Windows OLE-related vulnerability (CVE-2023-29325) belongs in this month's Windows area, Microsoft Outlook's handling of RTF and Word Doc "open" requests is the true issue with this key system component. No reports of these other Microsoft Office-related vulnerabilities being used in the wild or any public Excel vulnerability disclosures have been made. Add these Office updates to your "Patch Now" release schedule given how urgently these Microsoft Outlook and core Microsoft Office (OLE) patches need to be applied.
Microsoft Exchange Server
Great news: no Exchange Server updates this cycle.
Microsoft development platforms
This month, Microsoft only provided two fixes (CVE-2023-29338 and CVE-2023-29343), both of which were considered essential. Only Visual Studio and Sysmon are affected by either upgrade, which has a very minimal testing profile (thanks, Mark). These upgrades should be included in your regular developer release schedule.
No comments:
Post a Comment