Patch Patch Tuesday Tuesday
Ok – not exactly sure what is happening, but it appears that Microsoft has just “accidentally” updated their patch database and added 47 new updates for May.
In addition to these new patches (more on this later) there appears to be an update to another 30+ previously released updates from the last 18 months.
As you can imagine the team at Readiness has a number of automated tools and processes that are constantly scanning for Microsoft updates and other CVE related databases. We have a small (weirdly specific) dashboard that we check in the mornings (before the dev call).
Well.. have to say here, things looked really odd…
Here are some examples:
- CVE-2022-41099: BitLocker Security Feature Bypass Vulnerability. Originally released: November 8, 2022, Last updated: March 16, 2023.
- CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability. Originally released: December 12, 202. Last updated: February 16, 2024.
- CVE-2024-20674: Windows Kerberos Security Feature Bypass Vulnerability. Originally released: January 9, 2024. Last updated: January 18, 2024
These patches were effectively “re-releases” this morning (PST) and all Microsoft databases were correspondingly updated.
I have double checked these three CVE entries, and our scanning tools agreed – we found the same thing. No change. No updated information or FAQ’s. No action required.
This is good news.
However there were 47 NEW CVE entries in this latest mid-month update. These new CVE entries (e.g. CVE-2024-32607) do not have Microsoft entries. Even though they are in the Microsoft database. What’s going on?
Checking with some of the internal teams at MIcrosoft, and doing some digging it appears that all of these new updates relate to a core maths component found in most browsers (including the Chromium project) : HDF5 Data library.
Here is (filtered) list of the new entries:
CVE-2024-32620 | CVE-2024-32621 | CVE-2024-32621 |
CVE-2024-29162 | CVE-2024-32607 | CVE-2024-32622 |
CVE-2024-29163 | CVE-2024-32609 | CVE-2024-32623 |
CVE-2024-29164 | CVE-2024-32610 | CVE-2024-32624 |
CVE-2024-29165 | CVE-2024-32611 | CVE-2024-33599 |
CVE-2024-29166 | CVE-2024-32612 | CVE-2024-33600 |
CVE-2024-32020 | CVE-2024-32613 | CVE-2024-33601 |
CVE-2024-32021 | CVE-2024-32614 | CVE-2024-33602 |
CVE-2024-32465 | CVE-2024-32615 | CVE-2024-33874 |
CVE-2024-32605 | CVE-2024-32616 |
None of these updates have been registered (yet) and will most likely affect Microsoft Chromium Browser (Edge).
In conclusion,
- There was a significant update to the Microsoft patch database yesterday
- There was a large number of patch releases from over the past 18 months
- No changes to the patch manifests were detected.
- No further action is required
All this for nothing? Well, it means our patch “vigilance” was endorsed this month.
And, I think that we can expect a large update to both Google Chrome and Edge in the next few weeks.