Microsoft addresses three zero-days for October’s Patch Tuesday
This month, Microsoft has released 103 updates to Windows, Edge, Microsoft Office, and Exchange Server. This update also includes minor updates to Visual Studio. Three zero-days (CVE-2023-44487, CVE-2023-36563 and CVE-2023-41763) require “Patch Now” updates for both Windows and the Edge browser for this October update cycle.
Microsoft has also updated its patch release and notification system with support for RSS feeds and has published its latest Digital Defense Report for this year. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this October update cycle.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.
Microsoft has published one major revision this month:
Microsoft has published the following vulnerability related mitigations for this month’s Patch Tuesday release cycle:
Some may question the efficacy of these proffered mitigations.
Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
One of the hardest areas on the Windows platform (both desktop and server) to update is the Windows Kernel subsystem. This core subsystem manages security, access to low-level services, drivers, and the Hardware Abstraction Layer (HAL). Given its importance, the Kernel layer is key to delivering most services and applications on Windows. Changing this core system generally translates to a high-risk of a component, service, or application not behaving as expected. Thus, testing is key and also very difficult to do right.
This month Microsoft has updated both the Kernel and GDI subsystems at a core level. At Readiness, we have looked at these (GDI and Kernel level) changes, and they are both minor and far-reaching. (This is not a tautology.) Rather than a specific test guidance plan, we recommend a “smoke test” for your commonly used applications and a business logic focused test effort for your critical or line-of-business applications. (Perhaps your top 20 apps?)
All these scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to these listed specific testing requirements, we suggest a general test of the following Windows features:
Stressing about the latest WordPad security vulnerability? Unfortunately, we still have to test our rich-text-formatted (RTF) files this month as well. This follows on from last month’s Notepad++ vulnerabilities, which included CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 and CVE-2023-40166. At this rate, Microsoft may just decide to remove all (free) text editors from Windows. Office, anyone?
Over the past few months, we have used this section to detail the forthcoming changes to the Windows ecosystem, such as end of platform support or changes to security updates. This month, we have two major Windows deprecations that have been announced by Microsoft:
And speaking of life cycles, Happy Birthday to Patch Tuesday — it’s been 20 years since the first properly scheduled update to the Windows ecosystem. Things were pretty chaotic back then, with unscheduled updates distributed through the month. I doubt anyone would have considered just how important security patches/updates would become to the IT community. More than a tradition, Patch Tuesday is now an essential part of IT best practices.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has adapted to the Chromium release schedule and no longer specifically publishes updates on the second Tuesday of every month. That said, Microsoft has used the release of the patch of CVE-2023-5346 and CVE-2023-5217 this week as a sort of “stub” or proxy for Patch Tuesday Chromium (Edge) updates.
For more information on Microsoft Edge security updates, please refer to the weekly updated Microsoft support page. Both of these vulnerabilities are extremely serious (we consider them zero-days) and should be added to your “Patch Now” browser update schedule, Patch Tuesday or not.
This October, Microsoft released 13 critical updates and 68 patches rated as important to the Windows platform that cover the following key components:
The key challenges relate to the critical updates to the Message Queuing feature in Windows. Adding the kernel, core GDI updates, and networking issues means that this month we need to add this Windows update to your “Patch Now” release schedule.
We can breathe a little easier this month as Microsoft has released only seven updates (all rated as important) for the Office platform. Ignoring Skype for Business (which everyone else does), this month Microsoft delivers patches to complex, difficult-to-exploit security vulnerabilities that have not been publicly disclosed. Add these low-profile Office updates to your standard release schedule.
Microsoft has released a single update for Microsoft Exchange this month. This vulnerability affects all supported versions of Exchange Server and has been rated as important by Microsoft. Microsoft Exchange server updates this month will require a server reboot — for all versions. Add this update to your standard update release schedule for this October Patch Tuesday.
Excluding the Mitre Rapid Reset (CVE-2023-44487) issue covered below, Microsoft has released three relatively straightforward updates to the Visual Studio development platform. Add these updates to your standard developer release schedule.
No updates from Adobe for Reader or Acrobat this month.
Finally, let’s discuss the HTTP/2 Rapid Reset (CVE-2023-44487) vulnerability. This distributed denial-of-service (DDOS) attack has been reported as exploited in the wild since this past August. As it affects more than just Microsoft Windows, I have included some helpful links (provided by CISA) on this serious vulnerability.
Microsoft has posted a detailed detailed blog entry entry on the Rapid Reset issue that includes advice on patching web applications, enabling Azure Web Application firewall and configuring Azure Front Door.