For December, an exceptionally light Patch Tuesday

Over the past year, we’ve seen Microsoft make radical improvements in its browser stability and significant positive changes to its Windows update communication and telemetry strategies.  And this month’s Patch Tuesday release brings with it an incredibly light set of updates — maybe the fewest number of updates I have ever seen.

There are no zero-days, which is a great finish to 2023, though Windows gets three critical updates and Visual Studio will require immediate attention due to several re-releases of past critical application patches.

The team at Readiness has created a helpful infographic to outline the risks associated with each update in this last release of 2023. One note of caution: we have seen several potential updates to older patches (October/November) potentially coming down the release pipeline from Microsoft. It might be worth checking in during the upcoming holiday break to see whether there are any out-of-band patches for the Windows ecosystem.

Each month, Microsoft details the known issues related to the operating system and platforms included in its update cycle.

Though we are not experiencing printer problems with Patch Tuesday as we have in the past, HP Printers are now being displayed on Windows computers, even when HP printers are neither connected nor installed. Symptoms of this can include:

Microsoft has confirmed that this is not the result of an HP Printer update and is working on a resolution.

Major revisions

This is an unusual month for Microsoft, as there are normally several “information only” revisions to previous updates. This month, Microsoft has re-published updates for both Microsoft Edge and Microsoft Visual Studio that will require (in the case of Visual Studio, urgent) attention. I have updated these Browser and Development sections accordingly.

Following the pattern set this month, Microsoft broke with tradition and has not released any documentation on current vulnerability mitigations or workarounds.

Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this end-of-year update, we have not seen any high-risk or significant functionality changes for Windows. However, there have been several changes to core functionality that will require some attention, including:

You might not remember Faxing (showing my age here) but Microsoft has made a minor update to a single discrete function call in the MakeCall API function. If you are using automated faxes in your workflows or rely on a FAX server such as FAXPress, then you will need to perform a complete test that includes sending, receiving, and the administration of existing faxes.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line of business applications, getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.

This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms. There are no major changes or end of support notices for the Windows or Office platforms this month. However, Microsoft has published the end of community support for PHP 8.0. For those affected, Microsoft offers a few steps to assist with updating applications.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

The major changes included with this December browser update lie within the Chrome browser components including:

These revisions are relatively minor and should not pose a compatibility problem; add these updates to your standard browser patch release schedule.

This month, Microsoft released three critical updates and 22 patches rated important to the Windows platform that cover the following key components:

Your testing and deployment focus should be on ensuring that  target systems are working as expected with this month’s networking updates. Whenever Microsoft updates the Kernel (far too often), care must be taken with external devices that rely on system level drivers. A good couple of reboots this month should do the trick.

Add this Windows update to your standard release schedule.

Microsoft released three relatively minor updates to Microsoft Word. These patches address lowe- risk vulnerabilities, have a low testing profile, and are rated as important. Add these Office updates to your standard release schedule.

Lucky for us — and for those working over the Christmas break — there are no Microsoft Exchange Server updates.

There were no new development platforms (.NET or Microsoft Visual Studio) updates from Microsoft this month. But there are several critical updates that have been revised outside of the Patch Tuesday calendar including: CVE-2023-36792, CVE-2023-36793, CVE-2023-36794 and CVE-2023-36796.

All of these reported CVE entries relate to a cluster of Visual Studio remote code execution vulnerabilities. Microsoft is rereleasing KB5029365 to address the following known issue: Customers who are using Microsoft Visual Studio 2013 Update 5 might receive a “C2471” error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches.

These re-releases of these four Visual Studio updates (from September) are rated critical by Microsoft and will need to be added to your “Patch Now” release schedule.

There were no updates from Adobe for Reader or Acrobat this month. And no updates to third-party applications such WinRAR nor deprecations to major system components. Now that we have a bit of time left in the year, we can start talking about the potential compatibility issues in Windows 23H2.

For Patch Tuesday Debugged, that’s a wrap for 2023. It’s been a pleasure and a privilege to help with Patch Tuesday testing and deployment challenges over the past year. I can’t wait to see what 2024 will bring us.

http://www.computerworld.com/category/security/index.rss

Leave a Reply