For Patch Tuesday, 48 updates, no zero-day flaws

Microsoft has eased us into the new new year with just 48 updates for the Windows, Office and .NET platforms. There were no zero-days for January, and no reports of publicly exposed vulnerabilities or exploited security issues.

Developers of complex, line-of-business applications might need to pay particular attention to how Microsoft has updated the Message Queue system. Printing has been patched and minor updates to bluetooth and Windows shell sub-systems (shortcuts and wallpaper) require some testing before deployment.

The team at Readiness has crafted a useful infographic that outlines the risks associated with each of the updates for this January release.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle.

Given the importance of emojis in today’s computing environment, Microsoft also has an issue with the color scale of certain 3D-like emoticons on all Windows builds. (As I am “color dumb,” not sure if I should be 🙂 or 😞.)

Major revisions

So were there major revisions among the January updates? There are two answers. The short answer is there do not appear to be any patches with significant revisions that require administrator attention this month.

The long answer: there may be an issue with the Microsoft update database and how data is presented and deployed. With each update cycle, the Readiness team employs an automated system to parse/process Microsoft updates and their associated manifests and payloads. Our system reported many changes, which after some time proved to be false alarms. (By “large number of changes,” we mean several thousand.) We double-checked — it is not us — it is the data. We’ll see if the problem persists and update our systems/bulletins accordingly.

Mitigations and workarounds

Microsoft published the following vulnerability related mitigations for this month’s release:

Each month, the Readiness team detailed analyses the Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and the patches’ potential impact on the Windows platforms and application installations.

The following changes were included in this month’s update and have not been raised as either elevated risk (of unexpected outcomes) and do not include functional changes:

For developers: Microsoft made a major update on how Message Queuing (MSMQ) works in Windows desktops this month. One sub-component of the MSMQ feature deals with Remote Procedure Calls (RPC) commonly used in distributed applications. To test your distributed, MSMQ, and RPC-driven corporate apps (you know who you are) please ensure that the following component areas are included in your project test and release schedule:

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line-of-business applications, getting the application owner (doing UAT) to test and approve the results is still essential.

Windows lifecycle update

This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browsers

Microsoft has released four very small updates to the Chromium project:

We are pretty lucky, as these are very light-weight updates. Nothing compared to the urgency and difficulty we used to experience with updating Internet Explorer. Add these updates to your standard patch release schedule.

Windows

Microsoft released two critical updates and 38 patches rated important to the Windows platform that cover the following key components:

With only two patches (CVE-2024-20674 and CVE-2024-20700) rated critical and no reported zero-days, this is another relatively light month. Our focus for testing and deployment should be on administrator tasks (validating backups, telemetry, and log files) and some of the core internal features employed by developers for business logic driven distributed applications. Add this update to your standard Windows platform release schedule.

Microsoft Office

Microsoft released just two (CVE-2024-20677 and CVE-2024-21318) patches for Office and Microsoft SharePoint. These are low-impact updates that should not affect how Excel or Words handles numbers or formulas. Add these Office updates to your standard release schedule.

Microsoft Exchange Server

As in December, Microsoft did not release any updates for Microsoft Exchange Server. Don’t get too comfortable. We think the February update is going to be a big one.

Microsoft development platforms

Microsoft released six updates affecting Microsoft .NET, Visual Studio, and the SQL Client feature. All updates are rated important. The SQL Client update (CVE-2024-0056) will require some attention. Scan your corporate Line of Business (LOB) or internal applications for .NET’s System.Data.SqlClient dependencies. Once you have a prioritized application list, please add these updates to your standard developer release schedule.

Adobe Reader (if you get this far)

No updates from Adobe for Reader or Acrobat this month but Microsoft has released a single update to the third party database engine SQLite (CVE-2022-35737). This database engine update should really be included in the developer section, but strictly speaking it’s an open source project supported by Microsoft. Given our research on last year’s patch and update trends, we are expecting a larger-than-normal update package for February. Automated testing is going to be key, with AI (probably a “PatchGPT”) playing a large role in patch summaries, vulnerability assessments, and testing recommendations.

http://www.computerworld.com/category/security/index.rss

Leave a Reply