Microsoft launched 59 updates in its September Patch Tuesday launch, with crucial patches for Microsoft Workplace and Visible Studio, and continued the pattern of together with non-Microsoft purposes in its replace cycle. (Notepad++ is a notable addition, with Autodesk returning with a revised bulletin.) We have made “Patch Now” suggestions for Microsoft improvement platforms (Visible Studio) and Microsoft Phrase.
Sadly, updates for Microsoft Trade Server have additionally returned, requiring server reboots this time, too.
The staff at Readiness has created this infographic outlining the dangers related to every of the September updates.
Identified points
Every month, Microsoft features a listing of identified points that relate to the working system and platforms included within the newest replace cycle:
- After putting in this replace on visitor digital machines (VMs) operating Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 won’t begin up. VMWare has revealed an article (KB90947) on how one can resolve the difficulty.
- New safety enhancements in SharePoint Server (2019) may stop customized .aspx recordsdata from being displayed beneath sure circumstances. Looking to such a web page generates a “92liq” event tag in SharePoint Unified Logging System (ULS) logs.
Main revisions
Microsoft revealed the next main revisions this month:
- CVE-2023-41303: Use-after-free vulnerability in Autodesk® FBX® SDK 2020. That is an info replace (be aware that this third-party software replace doesn’t have an up to date launch log — naughty Microsoft). No additional motion required.
- CVE-2023-20569 Return Deal with Predictor. The affected merchandise desk has been up to date to incorporate Azure Digital Machines, as prospects who use customized upkeep controls are affected by CVE-2023-20569 and are required to take motion to guard their assets.
- CVE-2023-21709, CVE-2023-35368, CVE-2023-35388, CVE-2023-38185, CVE-2023-38181 and CVE-2023-38182: Microsoft Trade Server Elevation of Privilege Vulnerability. The identified problem affecting the non-English August updates of Trade Server has been resolved. Microsoft recommends putting in the up to date packages as quickly as attainable.
And it seems as if Microsoft “missed” a CVE final month — CVE-2023-36769 for OneNote, which has now been up to date and included on this month’s updates.
Mitigations and workarounds
Microsoft revealed the next vulnerability associated mitigations for this launch cycle:
- CVE-2023-38162, CVE-2023-38152, CVE-2023-36081: DHCP Server Service Info Disclosure Vulnerability. Microsoft helpfully notes that in case you have not enabled DHCP in your servers, you are not uncovered to this vulnerability.
- CVE-2023-38148: Web Connection Sharing (ICS) Distant Code Execution Vulnerability. Equally, in case you have not enabled this characteristic, you are not uncovered.
Testing steerage
Every month, the Readiness staff analyzes the newest Patch Tuesday updates and supplies detailed, actionable testing steerage. This steerage is predicated on assessing a big software portfolio and an in depth evaluation of the patches and their potential influence on Home windows and on software installations.
Given the big variety of system-level adjustments on this patch cycle, I’ve damaged down the testing situations into normal and high-risk profiles.
Excessive danger
Microsoft made a major announcement this month a few important change to how third-party printer drivers are dealt with,
“With the discharge of Home windows 10 21H2, Home windows gives inbox assist for Mopria compliant printer units over community and USB interfaces through the Microsoft IPP Class Driver. This removes the necessity for print system producers to supply their very own installers, drivers, utilities.”
With this announcement, Microsoft additionally revealed an finish to servicing legacy (V3 and V4) Home windows printer drivers and gives the next assist timeline.
- September 2023: Announce legacy third-party printer driver for Home windows finish of servicing plan.
- September 2025: No new printer drivers shall be revealed to Home windows Replace.
- 2026: Printer driver rating order modified to all the time want Home windows IPP inbox class driver.
- 2027: Aside from security-related fixes, third-party printer driver updates will not be allowed.
The idea right here is that every one Home windows printing suppliers will subscribe to the Mopria (an affiliation of printer and scanner producers that produce common requirements and options for scan and print) normal. This is smart and can hopefully cut back the attack surface of printer drivers which have precipitated a lot trouble over the years.
As a result of this transformation in printer dealing with, the next assessments are steered:
- Check all of your printers — along with your full manufacturing testing regime (sorry about this).
- Allow totally different superior printer options (e.g., watermarking) and run printing assessments.
- Check your printing over RDP and VPN connections.
- Set up/replace/uninstall key printing software program.
Customary danger
The next adjustments haven’t been raised as excessive danger (of surprising outcomes) and don’t embrace practical adjustments.
- Check your safety restrictions/sandbox when utilizing Microsoft Intune and Home windows Defender Utility management (WDAC). Functions ought to set up and uninstall as anticipated.
- Guarantee profitable “CRUD” assessments full in your Home windows error logs. This could embrace Create, Learn, Replace and Delete. Really, this could learn CRUDE — as we have to add “Lengthen” to this month’s log testing regime. (Discover the laughs the place you possibly can.)
- Check wi-fi shows on laptops; it is required by an replace to the core graphics dealing with in Home windows (GDI.DLL).
There was a significant replace to the Home windows networking stack, too. This contains adjustments to how DHCP handles failover relationships. Testing ought to embrace the next:
- Conduct ping request/reply assessments (for each inside and outdoors your community).
- Ping main search engines like google (attempt Bing?) utilizing each IPv4 and IPv.
Automated testing will assist with these situations (particularly a testing platform that provides a “delta” or comparability between builds). Nonetheless, in your line of enterprise purposes, getting the appliance proprietor (doing UAT) to check and approve the outcomes continues to be completely important.
Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Workplace;
- Microsoft Trade Server;
- Microsoft Growth platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe Reader and Others (the brand new residence for Third-party purposes).
Browsers
Microsoft didn’t launch any updates for its browsers this month. As an indication of the occasions, Google Chrome has now “sunsetted” (deprecated in Microsoft phrases) assist for Home windows 7/8/8.1 and Window Server 2012. For Google Chrome Enterprise customers, there’s now a handy release summary. My feeling is that we’ll be including Google Chrome to the third-party replace part discovered on the backside of this report sooner or later.
Home windows
Microsoft launched a single crucial replace for the Home windows platforms on this patch cycle (CVE-2023-38148). As well as, 20 patches rated essential by Microsoft have been launched, protecting the next Home windows practical areas:
- Home windows DHCP Server and the TCP/IP networking stack;
- Home windows GDI and Kernel;
- Microsoft Home windows Codecs Library and Home windows Themes;
- Home windows Frequent Log File System Driver.
Although it’s a comparatively light-weight set of patches for Home windows, we extremely advocate a community stack check earlier than common deployment. Add these Home windows updates to your normal launch schedule.
Microsoft Workplace
For September, Microsoft didn’t launch any crucial updates to the Workplace platform. As a substitute, we see seven updates rated essential and a further single replace rated average (CVE-2023-41764). Sadly, this month’s zero-day vulnerability contains Microsoft Phrase (CVE-2023-36761) which has been publicly disclosed and reported as exploited within the wild. Add these Workplace updates (actually simply Phrase) to your “Patch Now” schedule.
Microsoft Trade Server
Microsoft launched 5 updates for Microsoft Trade Server, all rated essential by Microsoft. Combining each community and adjoining assault vectors, these vulnerabilities may result in ID spoofing and distant code execution. There haven’t been any stories of exploits within the wild, nor public disclosures, so please add these to your normal launch schedule. Observe: this month’s patch cycle would require a reboot of your Trade Server.
Microsoft improvement platforms
It is a huge month for updating the developer platforms. Microsoft launched three crucial rated patches (CVE-2023-36796, CVE-2023-36793 and CVE-2023-36792) that would result in critical distant code execution situations with the easy click on of a single malicious file. As soon as these crucial points are added to the 12 further patches to Visible Studio and .NET, we should make an uncommon “Patch Now” suggestion for these.
Adobe Reader and Others (the brand new residence for Third-party purposes)
Following the rising pattern of managing third-party software updates, I’ll now embrace key purposes that require updating every month. This used to deal with Adobe Reader, however for September now contains:
We count on extra third-party purposes to be included within the month-to-month replace course of sooner or later. Month-to-month patches, month-to-month software packaging and patching will develop into the brand new regular. Having a sturdy repackaging, testing and deployment course of in your complete software portfolio will quick develop into a high precedence.
Copyright © 2023 IDG Communications, Inc.