Microsoft has resolved 80 new CVEs this month in addition to four earlier CVEs, bringing the number of security issues addressed in this month’s Patch Tuesday release to 84.
Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a “Patch Now” release requirement for both Windows and Microsoft Office updates. As it was last month, there were no further updates for Microsoft Exchange Server or Adobe Reader. This month the team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this cycle.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the update cycle.
- KB5022842: After installing KB5022842 on Windows Server 2022 with Secure Boot enabled and rebooting twice, the VMware VM failed to boot using the new bootmgr. This issue is still under consideration by Microsoft. After installing this update, WPF apps may have a change in behavior.
- After installing this month’s Windows update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start.
Microsoft is still working on a network performance issue with Windows 11 22H2. Large (multi-gigabyte) network file transfers (and potentially similarly large local transfers) are affected. This issue should mainly affect IT administrators.
Microsoft published four major revisions this month covering:
- VE-2023-2156: Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability.
- CVE-2022-41099: Title: BitLocker Security Feature Bypass Vulnerability.
- CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability.
- CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability.
All of these revisions were due to documentation and expanded affected software updates. No further action is required.
Mitigations and workarounds
Microsoft published the following vulnerability related mitigations for this month’s release:
- CVE-2023-23392: HTTP Protocol Stack Remote Code Execution Vulnerability. A prerequisite for a Windows 2022 server to be vulnerable to this security issue is that the network binding has HTTP/3 enabled and the server uses buffered I/O. Enabling HTTP/3 is discussed here: Enabling HTTP/3 support on Windows Server 2022.
- CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Microsoft has published two mitigations for this serious security issue:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings.
Each month, the team at Readiness analyzes the Patch Tuesday updates and provides detailed, actionable testing guidance; that guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups.
Microsoft published several high risk changes in the March update. While they may not lead to functionality changes, the testing profile for each update should be mandatory:
- Microsoft has updated how DCOM responds to remote requests as part of the recent hardening effort. This process has been under way since June 2021 (Phase 1), with an update in June 2022 (Phase 2) and now this month with all changes implemented as mandatory. DCOM is a core Windows component used for communicating between services or processes. Microsoft has advised that this (and full deployment of past recommendations) will cause application-level compatibility issues. The company has offered some support on what is changing and how to mitigate any compatibility issues as a result of these recent mandatory settings.
- A major change to the core system file Win32kfull.sys has been included this month as two functions (DrvPlgBlt and nf-wingdi-plgblt) have been updated. Microsoft has advised there are no functional changes to these functions. Testing applications that depend on these functions will be essential before a full deployment of this month’s updates.
These scenarios require significant application-level testing before general deployment.
- Bluetooth: Try adding and removing new Bluetooth devices. Stressing Bluetooth network devices would be highly advised.
- Windows Network stack (TCPIP.SYS): Basic web surfing, “normal” file transfers and video streaming should be sufficient to test the changes to the Windows networking stack.
- Hyper-V: Try testing both Gen1 and Gen2 virtual machines (VM’s). Both types of machines should start, stop, shut down, pause, and resume successfully.
In addition to these changes, Microsoft updated a key memory function (D3DKMTCreateDCFromMemory) that affects two key system-level Windows drivers (win32kbase.sys and win32kfull.sys). Unfortunately, in past updates to these drivers, some users have generated BSOD SYSTEM_SERVICE_EXCEPTION errors. Microsoft has posted information on how to manage these issues. Hopefully you don’t have to resolve these kinds of issues this month.
Windows lifecycle update
This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms over the next few months:
- Windows 10 Enterprise (and Education), Version 20H2 and Windows 10 IoT Enterprise, and Windows Version 20H2 will reach an end of servicing date on May 9, 2023.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange Server.
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe (retired???, maybe next year).
There were 22 updates for March (none rated critical), with 21 included in the Google release channel and one (CVE-2023-24892) from Microsoft. All these updates are easy-to-deploy updates with marginal to low deployment risk. You can find Microsoft’s version of these release notes here and the Google Desktop channel release notes here. Add these updates to your standard patch release schedule.
Microsoft released 10 critical updates and 48 patches rated as important to the Windows platform that cover the following key components:
- Microsoft Printer Postscript Drivers.
- Windows Bluetooth Service.
- Windows Win32K and Core Graphics components (GDI).
- Windows HTTP Protocol Stack and PPPoE.
Other than the recent change to DCOM authentication (see DCOM hardening) most of this month’s updates have a very low risk profile. We have a minor update to a printing subsystem (Postscript 6) and other tweaks to network handling, storage, and graphics components. Unfortunately, we have a real zero-day issue with Windows (CVE-2023-24880) SmartScreen (aka Windows Defender) with reports of both exploitation and a public disclosure. As a result, add these Windows updates to your “Patch Now” release schedule.
Microsoft released 11 updates to the Microsoft Office platform with one rated as (super) critical and the remaining updates rated important and affecting just Excel and SharePoint. Unfortunately, the Microsoft Outlook update (CVE-2023-23397) will have to be patched immediately. I have included recommendations offered by Microsoft in our mitigations section above which include adding users to a higher security group and blocking ports 445/SMB on your network. Given the low risk of breaking other apps and the ease of deployment of this patch, I have another idea: add these Office updates to your “Patch Now” release schedule.
Microsoft Exchange Server
No Microsoft Exchange updates required this month. That said, there is a particularly worrying issue with Microsoft Outlook (CVE-2023-23397) that will be enough for any mail administrator to handle this month.
Microsoft development platforms
This is a very light patch cycle for Microsoft development platforms with just four updates to Visual Studio (GitHub extensions) this month. All these updates are rated as important by Microsoft and have a very low deployment risk profile. Add these updates to your standard developer release schedule.
Adobe Reader (still here, but just not this month)
We may be seeing a trend here as Adobe has not released any updates for Adobe Reader. It is also interesting that this is the first month in nine that Microsoft has not released any critical updates to its XPS, PDF or printing system. So, no mandatory printer testing is required.