Four zero-days make July 's Patch Tuesday a 'patch now' update
With this month’s Patch Tuesday update, Microsoft addressed 130 security vulnerabilities, published two advisories, and included four major CVE revisions. We also have four zero-days to manage for Windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Windows platform into a “patch now” schedule.
It should be easier to focus on Microsoft Office and Windows testing this month, as we do not have any Adobe, Exchange, or browser updates. Be sure to carefully review Microsoft’s Storm 0978 as it provides specific, actionable guidance on managing the serious HTML vulnerability in Microsoft Office (CVE-2022-38023).
The Readiness team has crafted this helpful infographic to outline the risks associated with each of the updates.
Microsoft each month lists known issues that relate to the operating system and platforms included in the latest update cycle.
Microsoft has published two major revisions:
Microsoft published the following vulnerability-related mitigations for this release:
Each month, the Readiness team provides detailed, actionable testing guidance for the latest updates. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
If you have employed internal web or application servers, it will be worth testing the HTTP3 protocol — especially using Microsoft Edge. In addition to this protocol handling update, Microsoft made a significant number of changes and updates to the networking stack requiring the following testing:
Given the large number of system-level changes this month, I have divided the testing scenarios into standard and high-risk profiles.
Given that this update includes fixes for four (some say five) zero-day flaws, we have two main drivers of change this month: key functionality changes in core systems and an urgent need to deliver updates. Microsoft has documented that two core areas have been updated with significant functionality changes, including printing and the local network stack (with a focus on routing). As a result, the following testing should be included before general deployment:
The following changes have been included this month and have not been raised as either high risk (with unexpected outcomes) and do not include functional changes.
All these testing scenarios will require significant application-level testing before a general deployment. Given the changes included in this month’s patches, the Readiness team recommends that the followings tests be performed before general deployment:
This month may be a little tough to test your Microsoft Office automation/scripts and integration with third-party applications due to the change in OLE and how Microsoft has addressed CVE-2023-36884. We recommend a full test of Excel macros (if they use OLE/COM/DCOM) and any VBS scripts that include Word.
Here are the important changes to servicing (and most security updates) to Windows desktop and server platforms.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Hard to believe, but there are no browser updates in this update cycle. And we don’t see anything coming down the pipeline for a mid-cycle release either. This is a big change and a huge improvement from the days of large, complex, and urgent browser updates. Go Microsoft!
Microsoft released eight critical updates and 95 patches rated as important to the Windows platform, covering these key components:
As mentioned in the Microsoft Office section above, we feel the focus this month should be on the immediate resolution of CVE-2023-36884. Though rated as important by Microsoft (sorry to be contrarian), we feel that since it has been both publicly disclosed and exploited it should be treated as urgent. Coupled with the other Windows zero-day (CVE-2023-32046) this brings the entire Windows update group into the “Patch Now” schedule for our clients. Once the screaming stops, you can take some time to check out the Windows 11 release video; we find it calming.
We need to talk about Microsoft Office. Though there are two critical rated updates for SharePoint (CVE-2023-33157 and CVE-2023-33160) and 14 updates rated important by Microsoft, the elephant in the room is CVE-2023-36884 (Office and HTML RCE Vulnerability). This vulnerability has been both publicly disclosed and documented as exploited. Officially, this update belongs in the Windows group, but we believe that the true impact lies in how Microsoft Office deals with HTML data (transmit/store/compute). CVE-2023-36884 directly affects Office and your testing regime should reflect this.
Add these Office updates to your standard release schedule, noting that your Office patch testing regime will need to be paired with your Windows update release schedule.
Much to all our good fortune, there are no updates for Microsoft Exchange Server this month.
Compared to the very serious (and numerous) exploits in Office and Windows this month, there are only five updates affecting Visual Studio, ASP.NET and a minor component of Mono (the cross platform C# implementation). All these patches are rated important by Microsoft and should be added to your standard developer release schedule.
More good news: there are no updates from Adobe or other third-party vendors in this update.