Microsoft has released 49 (including two recent additions) updates for this June Patch Tuesday. This June there have not been any reported zero-days, public disclosures or newly released working exploits for the Microsoft ecosystem. This is welcome news and is paired with low-risk changes to Microsoft Office. Microsoft development platforms have received minor updates to Visual Studio with both SQL Server and Microsoft Exchange patch free for June.The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this June update cycle.
Known Issues
Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms that are included in this update cycle, including the following reported minor issues:
- After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is still working on this one. In the meantime there is a workaround that involves setting the Cache Hostname to 1.
We totally recognize and respect Microsoft’s recent efforts with artificial intelligence (note that I did not say AI as that is an Apple thing now) but it would be nice if Microsoft resolved the profile picture (that you can’t change) known issue soon.
Major Revisions
This June Patch Tuesday has Microsoft publishing the following major revisions to past Microsoft security and feature updates including:
- CVE-2024-30080: (see below for mitigations). This patch was updated late in the June release cycle. As this was an information update, no further action is required. Unless you want to action the Microsoft recommended mitigations.
Mitigations and Workarounds
Microsoft has published the following vulnerability-related mitigations for this month’s February Patch Tuesday release cycle:
- CVE-2024-30070: DHCP Server Service Denial of Service Vulnerability. Microsoft (helpfully) notes that if you are not using DHCP, then you are not affected by this potential vector for DDOS attacks.
- CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Message Queuing security issues are tough to find, mitigate and test, so this may need some careful attention from your internal developers. At the very least ensure that you have changed your ports from the MSMQ listening default (1801) – this will help reduce your attack surface. Microsoft also recommends that you check to see if the MSMQ HTTP-Support feature is enabled.
Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
For this June release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas including:
Microsoft Office
- Microsoft SharePoint will require basic document opening and multi-user access tests this month.
Microsoft .NET and Developer Tools
- There are no updates to Microsoft .NET requiring application portfolio testing this month.
Windows
The following core Microsoft features have been updated this month including:
- Changes to Secure Boot will require testing of all 3rd party drivers.
- Code integrity policies need to be verified for Windows Lockdown (WLDP), Windows Defender Application Guard (WDAG) and the Windows Driver Policy for Intune deployments. We recommend that you test your Windows desktop sandbox and ensure that it boots correctly
- Changes to Windows networking will require testing at least two DHCP servers
- Remote desktop related updates will require VPN connection tests. Try out some administrative commands from the Microsoft Management console (MMC) such as adding, connecting and disconnecting VPN connections.
This month’s Patch Tuesday update affects several core systems such as Kernel32 and Win32K.SYS sub-systems. Unfortunately, these changes affect how applications behave at a fundamental level. This makes testing not just hard, but broad and expansive across your application portfolio. The Readiness team suggests that the following general application tests are performed against ALL of your core line-of-business applications this month.
- Test as many windows and pop-ups as possible
- Check window title bars for errors, or poorly formatted text
- Check for unusual items in the Windows taskbar
- Thoroughly test File explorer (sorry about that)
- Test multiple applications, with multiple windows
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business applications getting the application owner (doing a UAT) to test and approve the testing results is still absolutely essential.
Windows Lifecycle Update
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.
- Windows 10 Enterprise and Education, Version 21H2 will no longer be serviced as of June 11, 2024
For those planning ahead, October 8th, 2024, is a big day as Microsoft will no longer offer general servicing for the following desktop platforms:
- Windows 11 Enterprise and Education, Version 21H2
- Windows 11 Home and Pro, Version 22H2
- Windows 11 IoT Enterprise, Version 21H2
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office
- Microsoft Exchange Server
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe (if you get this far)
Browsers
Microsoft has released seven minor updates to the Chromium based browser (Edge) project while the Chromium project has added six additional updates this week. These updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule.
Windows
This June, Microsoft released one critical update (CVE-2024-30080) and 32 patches rated as important to the Windows platform, covering the following key components:
- Windows Win32 Kernel Subsystem, GRFX and drivers
- Networking (Wii-fi) and DHCP
- Storage and Error Reporting
- Crypto and BitLocker
The critical rated patch relates to the core, but not often used Message Queuing service (MSMQ) that may affect internal line of business applications. Unusually, this patch has already been updated since the main release this Patch Tuesday. That said, the Readiness team believes that all these Windows patches can be added to your standard release schedule.
Microsoft Office
No critical updates for Microsoft Office this month, and only five patches have been rated as important by Microsoft. All five patches released for Microsoft Office have low potential for exploitability (no worms, add-in vulnerabilities or Word macro issues) and should be added to your regular Microsoft Office update schedule.
Microsoft Exchange Server
No updates for Microsoft Exchange Server or SQL Server this month. Which of course, is a good thing.
Microsoft Development Platforms
Microsoft has released just three updates to Microsoft Visual Studio this month. These patches affect versions of the Microsoft developer platform from 2017 to 2022. All these proposed changes are low risk and are application specific. Add these updates to your standard developer release schedule.
Adobe Reader (if you get this far)
We are back to the usual state of things, and Microsoft has not chosen to include any Adobe products in their Patch Tuesday release cycle. This is a very good thing.