Patch Tuesday: Microsoft rolls out 90 updates for Windows, Office

With its August Patch Tuesday launch, Microsoft pushed out 90 updates for the Home windows and Workplace platforms. The newest fixes embrace  one other replace for Microsoft Change (together with with a warning about failed updates to Change Server 2016 and 2019) and a “Patch Now” advice from us for Workplace.

The staff at Software Readiness has crafted this handy infographic outlining the dangers related to every of the updates for this month.

Recognized points

Every month, Microsoft features a checklist of identified points affecting the newest replace cycle. For August, they embrace:

• After putting in this replace on visitor digital machines (VMs) working Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 may not begin up. Microsoft and VMware are each investigating the difficulty.
• Provisioning packages on Home windows 11 model 22H2 (additionally referred to as Home windows 11 2022 Replace) may not work as anticipated. Home windows may solely be partially configured, and the out-of-box expertise may not end or may restart unexpectedly. Provisioning the Home windows gadget earlier than upgrading to Home windows 11 model 22H2 ought to forestall the difficulty.

Sadly for these nonetheless utilizing Home windows Server 2008 ESU, this month’s replace may fail fully with the message, “Failure to configure Home windows updates. Reverting Modifications. Don’t flip off your laptop.” Microsoft presents some recommendation on ESU updates, however you may discover it’s important to wait a short time earlier than you are in a position to efficiently replace legacy Change servers. Sorry about that.

Main revisions

Microsoft has printed these main revisions protecting:

• ADV190023: Microsoft Steering for Enabling LDAP Channel Binding and LDAP Signing. This newest replace provides the potential to allow CBT occasions 3074 & 3075 with occasion supply **Microsoft-Home windows-ActiveDirectory_DomainService** within the Listing Service occasion log.
• ADV230001: Steering on Microsoft Signed Drivers Being Used Maliciously. Microsoft has introduced that the Aug. 8  Home windows Safety updates (see Safety Updates desk) add further untrusted drivers and driver signing certificates to the Home windows Driver.STL revocation checklist.
• CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability. Microsoft has corrected CVE titles and up to date a number of CVSS scores for the affected merchandise.
• CVE-2023-35389: Microsoft Dynamics 365 On-Premises Distant Code Execution Vulnerability. On this newest replace, Microsoft eliminated Microsoft Dynamics 365 (on-premises) model 9.1, as it’s not affected by the vulnerability. That is an informational change solely. No additional motion required.

Mitigations and workarounds

Microsoft printed the next vulnerability-related mitigations for this launch cycle:

• CVE-2023-35385: Microsoft Message Queuing Distant Code Execution Vulnerability. The Home windows message queuing service, which is a Home windows part, must be enabled for a system to be exploitable by this vulnerability. Examine to see whether or not there’s a service working named Message Queuing and TCP port 1801 is listening on the machine.
• CVE-2023-36882: Microsoft WDAC OLE DB supplier for SQL Server Distant Code Execution Vulnerability. Microsoft presents the next mitigation recommendation for this severe vulnerability: “In case your setting solely connects to identified, trusted servers and there’s no capability to reconfigure current connections to level to a different location (for instance you utilize TLS encryption with certificates validation), the vulnerability can’t be exploited.”

Testing steerage 

Every month, the Readiness staff analyzes the newest Patch Tuesday updates and gives detailed, actionable testing steerage. This steerage relies on assessing a big software portfolio and an in depth evaluation of the patches and their potential influence on the Home windows platforms and app installations.

Given the numerous variety of adjustments included this month, I’ve damaged down the testing eventualities into high-risk and standard-risk teams:

Excessive threat

As all of the high-risk adjustments have an effect on the Microsoft Home windows core kernel and inside messaging subsystem (although we now have not seen any printed performance adjustments), we strongly advocate the next targeted testing:

• There have been numerous important updates to the Microsoft Message Queue (MSMQ). This may have an effect on servers that depend on triggers, routing providers, and multicasting help. Our expectation is that internally developed line-of-business consumer/server purposes are most definitely to be affected and due to this fact want elevated consideration and testing this month.

Customary threat

• Home windows error reporting has been up to date, so you’ll need to do a “CRUD” check in your Home windows Frequent Log File System (CLFS) logs.
• A bunch coverage refresh must be included on this testing cycle resulting from adjustments within the NT consumer coverage (each consumer and machine) recordsdata. On account of API adjustments on this function, you may also wish to examine file paths on your resultant log recordsdata.
• Microsoft’s Crypto (CNG) APIs have been up to date, so good card installations would require testing.
• ODBC purposes would require testing once more this month resulting from an replace to the SQLOLEDB libraries.

And this is one for Home windows targeted IT directors: Microsoft has up to date the WinSAT API. This device is described by Microsoft:

“The Home windows System Evaluation Instrument (WinSAT) exposes numerous lessons that assess the efficiency traits and capabilities of a pc. Builders can use this API to develop software program that may entry the efficiency and functionality info of a pc to find out the optimum software settings based mostly on that laptop’s efficiency capabilities.”

All these eventualities would require important application-level testing earlier than common deployment. Along with these particular testing necessities, we recommend a common check of the next printing options:

• Replace all of your print servers and validate that the printer administration software program behaves as anticipated whereas working print jobs.
• Uninstall any print administration software program after an replace to make sure that your server continues to be working as anticipated.
• Check all printer producer varieties, utilizing each native and distant printer assessments.

Automated testing will assist with these eventualities (particularly a testing platform that provides a “delta” or comparability between builds). Nonetheless, on your line-of-business purposes, getting the app proprietor (doing UAT) to check and approve the outcomes is completely important.

Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Home windows (each desktop and server);
• Microsoft Workplace;
• Microsoft Change Server;
• Microsoft Improvement platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (nonetheless right here, however with one other A).

Browsers

Persevering with a welcome pattern, Microsoft launched 11 updates to its Chromium browser initiatives (Edge) and no patches to its legacy browsers. You possibly can learn extra about Microsoft Edge launch notes right here, noting that Chrome/Edge updates have been launched on Monday (Aug. 7) not the standard “Patch Tuesday.”

Add these browser updates to your commonplace patch launch schedule.

Home windows

Microsoft launched three essential updates, 32 rated as essential and one rated as reasonable. All (three) of the essential updates to the Home windows platform relate to the Home windows Message Queuing (MSMQ). Although these essential updates have a score of 9.8 (that is fairly excessive), they haven’t been publicly disclosed or reported as exploited. Not each group will make use of the MSMQ function, so for many groups, the testing profile must be fairly mild. Add these Home windows updates to your commonplace launch schedule.

Microsoft Workplace

Microsoft has launched three essential updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require speedy consideration. Along with these patches, Microsoft has launched 11 updates rated as essential and one rated as reasonable. These 12 updates have an effect on Microsoft Workplace typically and Visio. Add these Workplace updates to your “Patch Now” launch schedule.

Microsoft Change Server

Earlier than you do something, do not replace your non-English Microsoft Change Servers (2019 and 2016). This month’s replace will fail mid-way by means of and depart your server in an “undetermined state.” Now that this has (not) been carried out, you may attend to the six Change updates (all rated as essential) for this month. No essential updates confirmed up, so take your time. Notice: all these August patches would require a server reboot. Add these updates to your commonplace launch schedule. 

Microsoft improvement platforms

Microsoft has launched eight updates to the Microsoft .NET and ASP.NET platforms this month. These patches have been rated as essential and must be included in your commonplace developer launch schedule.

Adobe Reader (nonetheless right here, however with one other A)

Adobe is again. And we now have one other “A” to fret about (kinda bizarre, huh?). APSB23-30 from Adobe patches a essential vulnerability in Adobe Reader — add it to your “Patch Now” schedule. And the opposite “A”? Following the current pattern of supporting third-party patches within the Microsoft replace launch cycle (keep in mind the Autodesk replace in June?), Microsoft has launched CVE-2023-20569; it is said to an AMD memory-related vulnerability. You possibly can learn extra about this on the AMD website right here. 

Patching? Positive. 

Testing? Undecided.