A mystery update from Microsoft

A mystery update from Microsoft

Greg Lambert
May 29, 2024
2 minutes

Patch Patch Tuesday Tuesday

Ok – not exactly sure what is happening, but it appears that Microsoft has just “accidentally” updated their patch database and added 47 new updates for May. 

In addition to these new patches (more on this later) there appears to be an update to another 30+ previously released updates from the last 18 months.

As you can imagine the team at Readiness has a number of automated tools and processes that are constantly scanning for Microsoft updates and other CVE related databases. We have a small (weirdly specific) dashboard that we check in the mornings (before the dev call).

Well.. have to say here, things looked really odd…

Here are some examples:

  1. CVE-2022-41099: BitLocker Security Feature Bypass Vulnerability. Originally released: November 8, 2022, Last updated: March 16, 2023.
  2. CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability. Originally released: December 12, 202. Last updated: February 16, 2024.
  3. CVE-2024-20674: Windows Kerberos Security Feature Bypass Vulnerability. Originally released: January 9, 2024. Last updated: January 18, 2024

These patches were effectively “re-releases” this morning (PST) and all Microsoft databases were correspondingly updated.

I have double checked these three CVE entries, and our scanning tools agreed – we found the same thing. No change. No updated information or FAQ’s. No action required.

This is good news.

However there were 47 NEW CVE entries in this latest mid-month update. These new CVE entries (e.g. CVE-2024-32607) do not have Microsoft entries. Even though they are in the Microsoft database. What’s going on?

Checking with some of the internal teams at MIcrosoft, and doing some digging it appears that all of these new updates relate to a core maths component found in most browsers (including the Chromium project) : HDF5 Data library.

Here is (filtered) list of the new entries:

CVE-2024-32620CVE-2024-32621CVE-2024-32621
CVE-2024-29162CVE-2024-32607CVE-2024-32622
CVE-2024-29163CVE-2024-32609CVE-2024-32623
CVE-2024-29164CVE-2024-32610CVE-2024-32624
CVE-2024-29165CVE-2024-32611CVE-2024-33599
CVE-2024-29166CVE-2024-32612CVE-2024-33600
CVE-2024-32020CVE-2024-32613CVE-2024-33601
CVE-2024-32021CVE-2024-32614CVE-2024-33602
CVE-2024-32465CVE-2024-32615CVE-2024-33874
CVE-2024-32605CVE-2024-32616

None of these updates have been registered (yet) and will most likely affect Microsoft Chromium Browser (Edge). 

In conclusion, 

  • There was a significant update to the Microsoft patch database yesterday
  • There was a large number of patch releases from over the past 18 months
  • No changes to the patch manifests were detected.
  • No further action is required

All this for nothing? Well, it means our patch “vigilance” was endorsed this month. 

And, I think that we can expect a large update to both Google Chrome and Edge in the next few weeks.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started