For August, Patch Tuesday means patch now

Microsoft has released 90 updates for this August Patch Tuesday while addressing five Windows zero-days (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107) and one Microsoft Office zero-day (CVe-2024-38189). 

Unfortunately, this means a “Patch Now” recommendation for both Windows and Microsoft Office platforms this month. Microsoft has offered several (pretty useful) mitigations and recommendations for reducing the impact of this month’s reported security issues and our testing guidance reflects this with a focus on the networking related features of Microsoft Windows. Minor updates for the Microsoft Development platforms can be added to your standard patch release schedule while Microsoft has not released any patches for Microsoft SQL Server or Exchange Server. Lastly, Adobe Reader updates are back – but, we assume that this update will be included in your Windows desktop Patch Now release cycle. The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this August update cycle. 

Known Issues 

Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms that are included in this update cycle, including the following two reported minor issues:

• After installing the Windows update released on or after July 9, 2024, Windows Servers might (intermittently) affect Remote Desktop Connectivity across an organisation. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted. Microsoft is working on a resolution for this issue. 

Microsoft has been made aware of an issue where “players” on Arm devices are unable to download and play Roblox via the Microsoft Store on Windows. This may be a good time to “block out” (sorry, not sorry) some time to look at potential compatibility issues on ARM platforms. Don’t forget to try to change your account profile photo – oh, wait!

Major Revisions 

This August Patch Tuesday has Microsoft publishing the following major revisions to past Microsoft security and feature updates including:

• CVE-2024-29187: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM. Microsoft has released security updates on August 13, 2024, for Microsoft Visual Studio 2017 version 15.9, Microsoft Visual Studio 2019 version 16.11, and Microsoft Visual Studio 2022 to address this GitHub related issue. 
• CVE-2024-35058: BitLocker Security Feature Bypass Vulnerability. Microsoft has added a FAQ to explain that because of firmware incompatibility issues that were causing BitLocker to go into recovery mode on some devices, the fix for CVE-2024-38058 has been disabled with the release of the August 2024 security updates. Customers who want to be protected from the vulnerability can apply the mitigations described in KB5025885.

Mitigations and Workarounds 

Microsoft has published the following vulnerability-related mitigations for this month’s August Patch Tuesday release cycle:

• CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability. Microsoft has recommended as part of their mitigation strategy that all corporate users should no longer install the LPD utility. Given that this reported vulnerability has been publicly disclosed, the Readiness team highly recommends a scan of your environment to ensure that this (Line Printer daemon) service is not running and preferably not installed.
• CVE-2024-38159 and CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability. To reduce the exposure to this vulnerability, Microsoft recommends that Hyper-V is disabled on the target machine. 
• CVE-2024-38140: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability. Microsoft offers solid advice here. This vulnerability is only exploitable if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled but no programs are actively listening as a receiver, then this vulnerability is not exploitable. 

Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this August release cycle from Microsoft, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Microsoft Office

Due to the changes to Microsoft Outlook and .NET components this August, we recommend a full test of sending/receiving mails with HTML content.

Microsoft .NET and Developer Tools

Microsoft has updated both Microsoft .NET (Version 8) and Visual Studio 2022 this month with the following testing recommendations

• Due to the update to System.Net.Mail.SmtpClient a test of sending mail over TLS with a HTTP body will be required.

Windows

With the release of the Windows updates for this August, Microsoft has put a real focus securing Windows networking features with updates to core system files such as AFD.SYS that will require the following testing:

• Network packets: try using a web browser to download and upload large files from both internal and external websites. Multicast senders will require validation on packet returns.
• Network sockets: check that bind, connect and listen functions work as expected. Close socket functions will require testing this month as well.
• Smartcards: full logon/logoff testing will be required
• Network Bridges: This month’s update will require testing across two or more network adapters. Trying creating a bridge using IPv6 packets.
• Bluetooth: Sending files across two Bluetooth adapters will require testing for August
• DNS: Recursive DNS queries will require a basic test. Have a look for any SERVFAIL returns or time-outs. We also suggest trying NETSH to configure proxy settings. 
• Remote Desktop: Test out remote configurations on RRAS platforms while using copy/paste functions over a VPN.

In addition to these networking focused changes released this month, Microsoft has updated core features in the Windows desktop and server platforms that include:

• Windows Error logs: a complete CRUD test (create, read, update and delete) will be required for Windows log files this month.
• Kerberos: Logon and certificate workflows will require validation this update cycle.
• Codec and camera updates will require a basic test of camera (both still and video) features.
• Hyper-V: With only minor changes this month to the Microsoft Hyper-V platform, a basic VM startup and shut-down test is recommended.

Microsoft has made a number of significant changes to the Windows file system (NTFS) this month with changes to both the NtQueryEaFile and NtSetEaFile API’s. Unfortunately, a significant testing cycle is required that should include large file CRUD file tests – remembering to include a query component. The Readiness team suggests that a PowerShell test is also included in this testing cycle to assist with “pacing” rapid changes to the Windows file system.

Given recent challenges with CrowdStrike and BitLocker, Microsoft has published changes that will require testing of the Microsoft BitLocker recovery environment.

Windows Lifecycle Update (now including Enforcements)

This section will contain important changes to servicing, significant feature depredations and security related enforcements across the Windows desktop and server platforms.

• Enforcements: Now that we are past the July 2024 deadline for the enforcement phase, the Windows certificate “Windows Production PCA 2011” will now be automatically revoked.
• Lifecycle: Both Windows 11 Enterprise, Version 21H2 and 22H2 has an end of servicing date of October 8th, 2024

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange Server 
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (if you get this far) 

Browsers 

Microsoft has released 11 updates to the Edge browser platform this August. These low-profile changes have been rated as either important or moderate by Microsoft, reflecting their lower security and deployment risks. We recommend following the stable channel release of Microsoft Edge as there will be mid-cycle releases at the end of this month. Add these browser updates to your standard release schedule.

Windows 

This August, Microsoft has released six critical and 60 updates rated as important by Microsoft with five zero-day patches (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107).

In addition to these critical updates, Microsoft released patches for this August affect the following Windows feature groups:

• Windows DNS, broadband, routing, translation and multicast networking features
• Kernel mode and system drivers
• Line printer services (daemon)
• Windows OLE
• Windows Kerberos

Given the larger (and somewhat concerning) number of exploited and publicly disclosed vulnerabilities this month, we have recommended a “Patch Now” schedule for this month’s Windows update.

Microsoft Office 

Microsoft returns to form with one critical rated update to Co-pilot (CVE-2024-38206) and nine other updates to the Microsoft Office suite, all rated as important by Microsoft. Unfortunately, one of these vulnerabilities (CVE-2024-38189) that affects the entire Microsoft Office platform has been reported as exploited. Subsequently, we must add Microsoft Office to the August Patch Now release schedule.

Microsoft SQL (nee Exchange) Server 

Good news for this August update. No updates or patches for either Microsoft SQL Server or Microsoft Exchange Server. 

Microsoft Development Platforms 

Microsoft has released four low profile updates to the Microsoft .NET and Visual Studio 2022 platforms this August. We do not expect serious testing requirements for these lesser reported vulnerabilities. Add these updates to your standard developer release schedule.

Adobe Reader (And other 3rd party updates) 

Adobe Reader is back in the game with an important update for this August  APSB24-57 which has addressed 12 memory and “use after free” (my favourite) security vulnerabilities and can be added to your Windows update cycle this month.