Microsoft's Patch Tuesday update addresses 3 vulnerabilities affecting Windows, Exchange, Office, and Microsoft developer tools, and XNUMX Windows vulnerabilities (CVE-XNUMX-XNUMX, CVE-XNUMX, CVE-XNUMX twenty-three-twenty thousand seven hundred and fifteen and CVE-two thousand twenty-three-twenty-three thousand three hundred and seventy-six) have been reported as exploited in the wild. and require immediate attention.
Although it gets a lower rating from Microsoft, Exchange's drawbacks also warrant a quick reply. Throughout this time, Microsoft Office and Developer Platform updates may be added to your regular release schedule.
The Readiness team has provided this infographic outlining the dangers associated with each of the updates in the current month's update.
Known issues
Microsoft includes a list of known operating system and platform issues in the latest updates:
- XPS documents that use structural or semantic elements, such as table structure, storyboards, or hyperlinks, may not display properly in WPF-based viewers. To work around this issue, Microsoft has provided a PowerShell script where you can run the command: .kb5022083-compat.ps1 -Install. This command adds the following registry key: "HKLMSOFTWAREMicrosoft.NETFrameworkWindows Presentation FoundationXPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64
- Copying large multi-gig files may take longer than expected to complete on Windows 22 version 2HXNUMX. You're most likely to encounter this issue when copying files from a network share via Server Message Block (SMB), but copying local files may suffer as well.
If you are still using Microsoft's Windows Server 0 for domain authentication, you may experience the next known issue: Domain join operations may fail with the error "5020276xaac (XNUMX): NERR_AccountReuseBlockedByPolicy". In addition to this, text stating “An account with the exact same name exists in Active Directory. Account reuse has been blocked by security policy”, may appear. Microsoft has provided support guidance (KBXNUMX) on handling this issue as a part of the ESU program.
Important revisions
Microsoft released 3 essential hotfixes this month:
- CVE-21713-XNUMX and CVE-XNUMX-XNUMX: Microsoft SQL Server remote code execution vulnerability. These hotfixes extend support for legacy SQL (ESU) products. No further actions are required.
- CVE-21721-XNUMX: Microsoft OneNote elevation of privilege vulnerability. This is a minor informational change, no action is required.
Mitigation and Workarounds
Microsoft has released mitigations for upcoming vulnerabilities for this release:
- CVE-21804-XNUMX: Windows graphics component elevation of privilege vulnerability. Only Windows computers that have XPS Document Writer installed are fragile. On Windows XNUMX, XPS Document Writer is installed by default; in windows eleven this is not the case.
- CVE-21803-XNUMX: Windows iSCSI Discovery Service remote code execution vulnerability. By default, the iSCSI initiator user application is disabled and cannot be used. In order for a system to be fragile, the iSCSI initiator user application must be enabled.
- CVE-2023-21705 CVEXNUMX-XNUMX: Microsoft SQL Server remote code execution vulnerability. This only works if this optional feature is enabled and is running on an SQL instance. (The feature is not free on Azure SQL instances.)
- CVE-21689-XNUMX, CVE-XNUMX-XNUMX CVE-XNUMX-XNUMX: Microsoft Protected Extensible Authentication Protocol (PEAP) remote code execution. PEAP is only negotiated with the user if NPS is running on Windows Server and has a network policy configured that leaves the PEAP vulnerability. Get more information on how to configure Microsoft PEAP here.
test guide
Each month, the Readiness team reviews the latest Patch Tuesday updates and provides a detailed and actionable testing guide. This is based on the evaluation of an extensive portfolio of applications and a detailed analysis of Microsoft patches and their potential impact on Windows and application installations.
Given the sheer number of changes included this month, I've divided the test cases into high-risk and standard-risk suites:
High risk
As each and every high-risk change affects the Windows printing subsystem again this month, we haven't seen any feature changes released. We strongly advise the next print-focused tests:
- Microsoft's "MS Publisher Image Composer" has been significantly updated. These are built-in pilots who are now over ten years old. There have been reports of poor print quality due to the use of these drivers, so an update was urgently needed.
- Test printing with the V3 color and black and white printer drivers. Check if content is missing.
- There was an update on how Windows handles URLs, especially when printing. A quick scroll to open pages that reference Microsoft Word, PowerPoint, and Excel, and then run a simple print job should highlight any drawbacks.
All of these scenarios will require significant application-level testing before a general release of the update. In addition to this, we suggest a general test of the upcoming printing features:
- Thirty-two-bit applications that require printing to sixty-four-bit devices should be tested. Please be careful when exiting the application as it may cause memory related crashes.
- Test your backup systems and make sure your failure and associated system logs appear adequate.
- Test your VPN connections if you are using PEAP. This protocol changes frequently, we advise you to subscribe to the Microsoft RSS feed for future changes.
- Test your ODBC connections, database, and SQL commands.
Although you don't need to test large file transfers this month, we strongly advise you to test (very) long UNC paths from different machines. We focus on network paths that access multiple machines on different versions of Windows. Other than these scenarios, Microsoft has updated the system kernel and major graphical components (GDI). Smoke test your core or industry applications and be careful with graphics-intensive applications.
Given the rapid changes and updates common to applications (and their dependencies) in a modern application portfolio, ensure that your systems "cleanly" uninstall older versions of the application. Leaving legacy applications or surplus components could expose your system to patched vulnerabilities.
Windows Lifecycle Update
This section contains essential maintenance changes (and most security updates) for Windows desktop and server platforms. With Windows 21 2H2023 now out of general support, the next Microsoft apps are going to reach the end of general support or service in XNUMX:
- Visio Services on SharePoint (at Microsoft XNUMX): February XNUMX, XNUMX (Retired);
- Microsoft Endpoint Configuration Manager, version two thousand one hundred seven — February XNUMX, XNUMX (end of service).
Each month, we break the release cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (desktop and server).
- Microsoft office.
- Microsoft Exchange server.
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe (retired???, maybe next year).
browsers
Microsoft has released 3 updates for its (Chromium) Edge browser: CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX and CVE-XNUMX-XNUMX. You can find the Microsoft version of these release notes here and the Google Desktop channel release notes here. There were no other Microsoft browser (or rendering engine) updates this month. Add these updates to your standard patch release schedule.
the Windows
Microsoft has released 4 critical updates and thirty-two "essential" fixes for the Windows platform covering the following key components:
- Microsoft PostScript printer driver (with FAX and SCAN updates);
- ODBC, OLE, WDAC driver for Windows;
- Windows common registry file system driver;
- and Windows and Kerberos cryptographic services.
While the vulnerabilities in Microsoft's PEAP authentication secret code (CVE-2023-3 and CVEXNUMX-XNUMX) are the most alarming, leftover updates that only affect Windows aren't nearly as dangerous. as we saw in the pass. Unfortunately, it has been reported that XNUMX Windows vulnerabilities (CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX and CVE-XNUMX-XNUMX) have been exploited in nature. So please add this update to your "Patch Now" release schedule.
microsoft office
Microsoft has released a patch that addresses a critical vulnerability (CVE-5-XNUMX) in Microsoft Word that could lead to remote code execution. There are XNUMX other updates to the Office platform (including SharePoint), each and every one considered essential. We have not received reports of vulnerabilities in the wild for the critical issue in Word, so we advise that you add these Office updates to your standard release schedule.
Microsoft Exchange Server
We are going to have to break certain rules this month. Microsoft has released 4 hotfixes for Microsoft Exchange Server (CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX one thousand seven hundred and ten), each and every one of those considered essential. Unfortunately, CVE-XNUMX-XNUMX could lead to remote code execution and could indeed be classified as a critical vulnerability.
This vulnerability does not require user interaction, is reachable by remote systems, and does not require local privileges on the local system. Each and every supported version of Exchange is fragile. We already see reports of Exchange cryptomining attacks. We will add CVE-XNUMX-XNUMX to our "Patch Now" program.
Microsoft development platforms
Microsoft has released 3 critical updates affecting Visual Studio and .NET (CVE-5-XNUMX, CVE-XNUMX-XNUMX and CVE-XNUMX-XNUMX) which could lead to arbitrary code execution. Upon initial review, it appears that these were accessed remotely, which significantly increases the risk, but all of these developer-related vulnerabilities require local access. As well as XNUMX other elevation of privilege vulnerabilities that also affect Microsoft Visual Studio (all rated significant), we do not see any urgent patch requirements. Add these updates to your standard developer release schedule.
Adobe Reader (still free, but not this month)
There are no Adobe updates for Reader or Acrobat this month. With that being said, Adobe has released a number of security updates for its other products with APSB23-dos. I think we have enough Microsoft XPS impressions and issues to test and incorporate to keep us busy.
Copyright © two thousand twenty-three IDG Communications, Inc.