Four zero-days make July ‘s Patch Tuesday a ‘patch now’ update

With this month’s Patch Tuesday replace, Microsoft addressed 130 safety vulnerabilities, revealed two advisories, and included 4 main CVE revisions. We even have 4 zero-days to handle for Home windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Home windows platform right into a “patch now” schedule.

It must be simpler to concentrate on Microsoft Workplace and Home windows testing this month, as we don’t have any Adobe, Alternate, or browser updates. You should definitely fastidiously overview Microsoft’s Storm 0978 because it gives particular, actionable steerage on managing the intense HTML vulnerability in Microsoft Workplace (CVE-2022-38023).

The Readiness crew has crafted this useful infographic to stipulate the dangers related to every of the updates.

Recognized points

Microsoft every month lists recognized points that relate to the working system and platforms included within the newest replace cycle.

• After putting in this replace on visitor digital machines (VMs) operating Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 won’t begin up. Solely Home windows Server 2022 VMs with Safe Boot enabled are affected. Microsoft and VMware are investigating the issue and can supply extra data when it is accessible.

• Utilizing provisioning packages on Home windows 11, model 22H2 won’t work as anticipated. Home windows may solely be partially configured, and the out-of-box expertise won’t end or may restart unexpectedly.

Main revisions

Microsoft has revealed two main revisions:

•  CVE-2022-37967: Home windows Kerberos Elevation of Privilege Vulnerability (4th replace). This updates removes the power to set worth 1 for the KrbtgtFullPacSignature subkey, and allow the Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which might be overridden by an Administrator with an specific Audit setting. No additional motion is required when you apply this month’s replace.
• CVE-2022-38023: Netlogon RPC Elevation of Privilege Vulnerability. The (earlier) April 2023 updates take away the power to disable RPC sealing by setting worth 0 to the RequireSeal registry subkey.

Mitigations and workarounds

Microsoft revealed the next vulnerability-related mitigations for this launch:

• CVE-2023-32038: Microsoft ODBC Driver Distant Code Execution Vulnerability. Microsoft recommends that when you solely hook up with recognized, trusted servers — and if there isn’t any capacity to reconfigure current connections to level to a different location — this vulnerability can’t be exploited.
• CVE-2023-36884: Workplace and Home windows HTML Distant Code Execution Vulnerability (one of many zero-day exploits this cycle). Microsoft notes that if you’re utilizing Microsoft Defender you are protected. For extra cynical/jaded/skilled professionals, we suggest that you just (fastidiously) learn the Risk Intelligence put up (Storm-0978).
• CVE-2023-35367, CVE-2023-35366 and CVE-2023-35365: Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability. If you’re not utilizing (and haven’t put in) Microsoft’s Routing and Distant Entry Companies (RRAS), you aren’t susceptible to this exploit.

Testing steerage 

Every month, the Readiness crew gives detailed, actionable testing steerage for the newest updates. This steerage is predicated on assessing a big software portfolio and an in depth evaluation of the Microsoft patches and their potential impression on the Home windows platforms and software installations.

When you’ve got employed inside net or software servers, will probably be price testing the HTTP3 protocol — particularly utilizing Microsoft Edge. Along with this protocol dealing with replace, Microsoft made a big variety of adjustments and updates to the networking stack requiring the next testing:

• Take a look at your RRAS router with UDP, pingback and traceroute instructions whereas including and deleting routing desk entries.
• Be certain that your area servers behave as anticipated with full enforcement mode enabled.

Given the massive variety of system-level adjustments this month, I’ve divided the testing situations into customary and high-risk profiles.

Excessive danger

Provided that this replace contains fixes for 4 (some say 5) zero-day flaws, we’ve got two fundamental drivers of change this month: key performance adjustments in core techniques and an pressing have to ship updates. Microsoft has documented that two core areas have been up to date with vital performance adjustments, together with printing and the native community stack (with a concentrate on routing). In consequence, the next testing must be included earlier than basic deployment:

• Printing: verify your native printers, as key driver dealing with has been up to date.
• Be certain that your DNS server zones are nonetheless functioning as anticipated after this replace

Commonplace danger

The next adjustments have been included this month and haven’t been raised as both excessive danger (with surprising outcomes) and don’t embody useful adjustments. 

• Home windows Hi there will want testing to incorporate Lively Listing (in addition to Azure AD) Single-Signal-on (SSO).
• Take a look at your distant desktop (RDP) connections with and with out Microsoft’s RD Gateway and make sure you see the proper degree of certificates warnings (or not, if already ignored).
• (For IT admins) Take a look at your Home windows Error logs (concentrate on service hangs) with a Create/Learn/Replace/Delete/Prolong (CRUDE) check.
• Take a look at your encryption and crypto configuration situations. Particularly Kerberos in your area controllers and key isolation.
• Take a look at your backups. You do not have to fret about your restoration media this time.

All these testing situations would require vital application-level testing earlier than a basic deployment. Given the adjustments included on this month’s patches, the Readiness crew recommends that the followings checks be carried out earlier than basic deployment:

• Set up, replace, and uninstall your core line of enterprise purposes.
• Examine your (native) printer drivers.
• Validate your VBScripts and UI automation instruments (as OLE was up to date this month, see CComClassFactorySingleton).
• Take a look at audio/video streaming after which Microsoft Groups (on account of its uploads/downloads and message queuing necessities).

This month could also be somewhat powerful to check your Microsoft Workplace automation/scripts and integration with third-party purposes as a result of change in OLE and the way Microsoft has addressed CVE-2023-36884. We suggest a full check of Excel macros (in the event that they use OLE/COM/DCOM) and any VBS scripts that embody Phrase.

Home windows lifecycle replace

Listed below are the essential adjustments to servicing (and most safety updates) to Home windows desktop and server platforms.

• Home windows 11, model 21H2, will attain finish of servicing on Oct. 10, 2023. This is applicable to the next editions launched in October 2021: Home windows 11 Dwelling, Professional, Schooling, Professional for Workstations.

Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Home windows (each desktop and server);
• Microsoft Workplace;
• Microsoft Alternate Server;
• Microsoft Improvement platforms (ASP.NET Core, .NET Core and Chakra Core);
• And Adobe (retired???, perhaps subsequent yr).

Browsers

Laborious to imagine, however there are not any browser updates on this replace cycle. And we do not see something coming down the pipeline for a mid-cycle launch both. It is a large change and an enormous enchancment from the times of huge, advanced, and pressing browser updates. Go Microsoft!

Home windows

Microsoft launched eight essential updates and 95 patches rated as essential to the Home windows platform, overlaying these key elements:

As talked about within the Microsoft Workplace part above, we really feel the main focus this month must be on the instant decision of CVE-2023-36884. Although rated as essential by Microsoft (sorry to be contrarian), we really feel that because it has been each publicly disclosed and exploited it must be handled as pressing. Coupled with the opposite Home windows zero-day (CVE-2023-32046) this brings all the Home windows replace group into the “Patch Now” schedule for our purchasers. As soon as the screaming stops, you possibly can take a while to take a look at the Home windows 11 launch video; we discover it calming.

Microsoft Workplace

We have to speak about Microsoft Workplace. Although there are two essential rated updates for SharePoint (CVE-2023-33157 and CVE-2023-33160) and 14 updates rated essential by Microsoft, the elephant within the room is CVE-2023-36884 (Workplace and HTML RCE Vulnerability). This vulnerability has been each publicly disclosed and documented as exploited. Formally, this replace belongs within the Home windows group, however we imagine that the true impression lies in how Microsoft Workplace offers with HTML knowledge (transmit/retailer/compute). CVE-2023-36884 instantly impacts Workplace and your testing regime ought to replicate this.

Add these Workplace updates to your customary launch schedule, noting that your Workplace patch testing regime will have to be paired together with your Home windows replace launch schedule.

Microsoft Alternate Server

A lot to all our success, there are not any updates for Microsoft Alternate Server this month.

Microsoft improvement platforms

In comparison with the very critical (and quite a few) exploits in Workplace and Home windows this month, there are solely 5 updates affecting Visible Studio, ASP.NET and a minor element of Mono (the cross platform C# implementation). All these patches are rated essential by Microsoft and must be added to your customary developer launch schedule.

Adobe Reader (nonetheless right here, simply not this month)

Extra excellent news: there are not any updates from Adobe or different third-party distributors on this replace.