Microsoft's first Patch Tuesday of the year fixes ninety-eight security vulnerabilities, including ten classified as critical for Windows. A vulnerability (CVE-XNUMX-XNUMX) in a core section of the Windows code is a zero-day vulnerability that requires immediate attention. And Adobe is back with a critical update, as well as some stealthy fixes for the Microsoft Edge browser.
We added Windows and Adobe updates to our "Patch Now" list, recognizing that this month's patch releases will require significant testing and engineering sacrifice. The App Readiness team has provided a helpful infographic outlining the dangers associated with each of the updates for this January update cycle.
Known issues
Each month, Microsoft includes a list of known issues related to the operating system and platforms included in that update cycle.
- Microsoft Exchange (XNUMX-XNUMX): After you install this January update, previous web views for shared URLs in Outlook on the web (OWA) don't display properly. Microsoft is currently working on a solution for this.
- Windows 10: After installing KB5001342 or below, the Microsoft Cluster service may not start due to the fact that a cluster network monitor could not be found.
There are still some known drawbacks to Windows 8, Windows XNUMX.x, and Windows Server XNUMX, but with these rapidly aging (and insecure) operating systems, it's time to move on.
Important revisions
Microsoft did not release any essential fixes this month. There have been multiple previous patch updates, but for documentation purposes only. No further action is required here.
Mitigation and solutions alternative options
Microsoft has not released any concrete mitigations or workarounds for the January Patch Tuesday release cycle of this month.
test guide
Every month, the preparation team examines the latest Patch Tuesday updates from Microsoft and provides detailed and actionable testing guidance. This advice is based on evaluation of an extensive portfolio of applications and a detailed analysis of Microsoft patches and their potential impact on Windows platforms and application installations.
Given the large number of changes included in this January patch cycle, I've divided the test cases into high-risk and standard-risk sets:
High risk: This January update from Microsoft makes a significant number of high-risk changes to the system kernel and printing subsystems of Windows. Unfortunately, these changes include critical system files like win32base.sys, sqlsrv32.dll, and win32k.sys, further broadening the test profile for this patch cycle.
Since each and every high-risk change affects the Microsoft Windows printing subsystem (although we haven't seen any feature changes released), we strongly advise the next printing-focused tests:
- Add and delete watermarks while printing.
- Change the default spool directory.
- Connect to a Bluetooth printer and print black and white and color pages.
- Try using the MS Publisher (Microsoft) Imager Supervisor. It is free as a "generic" printer monitor and can be installed on any computer running Windows 8.x or later. Due to the large number of download sites offering this player, make sure your download is digitally signed and comes from a trusted source (for example, Windows Update).
All of these scenarios will require significant testing at the application level already before the general release of the update this month. In addition to these specific testing requirements, we suggest general testing of the upcoming printing features:
- Printing from directly connected printers.
- Remote printing (via RDP and VPN).
- Test physical and virtual scenarios with XNUMX-bit applications on XNUMX-bit machines.
More generally, given the extensive nature of this update, we suggest trying out the following Windows features and components:
- Test user-based scenarios that take advantage of touchpoint and gesture support.
- Try to connect/disconnect STTP VPN sessions. You can read more about these updated protocols here.
- With Microsoft LDAP services, test applications that require access to Active Directory queries.
In addition to these changes and the following testing requirements, I've included some of the more difficult test scenarios for this January update:
- SQL queries: My goodness. You'll need to make sure that your mission-critical applications that use SQL (and those that don't?) really work. As in "returning the right data sets from overly complex, multi-sourced, heterogeneous database queries." With that said, Microsoft said: "This update fixes a known issue that affects applications that use the Microsoft Open Database Connectivity (ODBC) SQL Server monitor (sqlsrv32.dll) to connect to databases. Therefore, we should see this situation improve this month.
- Legacy Applications – If you have an older (legacy) application that may be using now deprecated Windows classes, you will need to run a full test of the application in addition to the basic smoke tests.
With all of these more difficult test scenarios, we advise scanning your application portfolio for updated application components or system-level dependencies. This analysis should provide a short list of affected applications, which should reduce your testing and deployment sacrifices later.
Windows Lifecycle Update
This section will contain essential maintenance-related changes (and most security updates) for Windows desktop and server platforms. With Windows 21 2H2023 now out of general support, we have the next Microsoft apps that are coming to the end of general support in XNUMX:
- Microsoft Endpoint Configuration Manager, version XNUMX (we have Intune now, so that's ok).
- Windows 20 Enterprise and Education, version 2HXNUMX (we have five months to migrate, should be fine).
- Windows 21 Home and Pro, version 2HXNUMX (with an expiration date of June XNUMX).
- Extended Support for Exchange Server Two Thousand Thirteen (April Eleven, Two Thousand Twenty Three).
Each month, we break the release cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (desktop and server)
- microsoft office
- Microsoft Exchange Server
- Microsoft development platforms (NET Core, .NET Core, and Chakra Core)
- Adobe (retired? maybe next year)
browsers
Microsoft released 5 updates to its Chromium browser this month, each and every one of which addressed the "use-after-release" memory-related vulnerabilities in the Chromium engine. You can find the Microsoft version of these release notes here and the Google Desktop channel release notes here. There were no other updates to Microsoft's browsers (or renderers) this month. Add these updates to your standard patch release schedule.
the Windows
January brings ten critical updates as well as sixty-seven fixes deemed essential for the Windows platform. They cover the next key components:
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft WDAC OLE DB Provider (and ODBC Monitor) for SQL
- Windows Backup Engine
- Windows Cryptographic Services
- Windows Crash Reporting (WER)
- Windows LDAP - Lightweight Directory Access Protocol
Generally, this is a patch focused on updating the network and local authentication stack with certain fixes from last month's patch cycle. Sadly, a vulnerability (CVE-XNUMX-XNUMX) in Windows Code Center Section (ALPC) has been publicly reported. Microsoft describes this scenario as "an attacker who successfully exploited this vulnerability could gain SYSTEM privileges." Thank you, Stiv, for your hard work on a case like this.
Note: Each and every US Federal agency has been instructed to patch this vulnerability by the end of January as part of CISA's "Binding Operational Order" (BOD).
Add this update to your "Patch Now" release schedule.
microsoft office
Microsoft has addressed a single critical issue with SharePoint Server (CVE-8-XNUMX) and XNUMX other security vulnerabilities considered essential by Microsoft affecting Visio and Office applications XNUMX. Our tests did not find any significant issues related to the Patch Tuesday changes, as most of the changes were included in the Microsoft Clic-to-Run collections, which have a significantly lower deployment and testing profile. Add these Microsoft Office updates to your standard deployment schedule.
Microsoft Exchange Server
For this version of the January patch for Microsoft Exchange Server, Microsoft delivered 5 updates, all of which were deemed essential for the 2019 and XNUMX releases:
None of these vulnerabilities are made public, reported to be exploited in the wild, or have been documented to lead to arbitrary code execution. With these few low-risk security issues, we advise you to take your time testing and updating each server. One thing to note is that Microsoft has introduced a new feature (PowerShell certificate signing) in this "fix" release, which may require ancillary testing. Add these Exchange Server updates to your standard server release schedule.
Microsoft development platforms
Microsoft has released two developer platform updates (CVE-XNUMX-XNUMX and CVE-XNUMX-XNUMX) that affect Visual and Microsoft .NET XNUMX. Both updates are considered essential by Microsoft and can be added to its standard release schedule.
Adobe Reader
Updates for Adobe Reader are back this month, although Microsoft hasn't released the latest patches. The latest set of updates (APSB twenty-three-one) resolved 8 critical memory issues and 7 essential updates, the worst of which could lead to arbitrary code execution on this unpatched system. With an above average CVSS rating (8), we advise adding this update to your "Patch Now" release cycle.
Copyright © two thousand twenty-three IDG Communications, Inc.