Patch Tuesday for October 2024

A haunting Patch Tuesday for October: 117 updates (and 5 zero-day flaws)

This month’s Patch Tuesday delivers a large set of patches from Microsoft that fix 117 flaws, including five zero-day vulnerabilities (CVE-2024-43573, CVE-2024-6197, CVE-2024-20659, CVE-2024-43572 and CVE-2024-43583). 

Though there are patches affecting Windows, SQL Server, Microsoft Excel and Visual Studio, only the Windows updates require a “Patch Now” release schedule — and they’ll need a significant amount of testing because they cover a lot of features: networking, kernel and core GDI components and Microsoft Hyper-V. Printing should be a core focus for enterprise testing and the SQL Server updates will require a focus on internally developed applications. 

The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this October update cycle. 

Known Issues 

There were a few reported issues for the September update which have been addressed in this month’s (October) update including:

• Remote desktop and gateway connectivity issues.
• SharePoint Server deserialization issues with custom types 

However, these are relatively minor concerns when dealing with the recent problems deploying Windows 11 24H2. Covering both compatibility and security challenges these numerous reports include:

• The Safe Exam browser may fail to load. Version 3.7 of this application is currently “hard-blocked” by Microsoft until further notice. This means that Microsoft has updated the list of applications which are currently not allowed to run on the target platform.
• Fingerprint sensors and readers may not function as expected. According to Microsoft, a firmware update should resolve this issue.
• Compatibility issues with specific sound cards (Intel Smart Sound) may cause them to stop working properly.

These issues are likely to be resolved with application and firmware updates rather than Microsoft patches while primarily affecting users upgrading to Windows 11 24H2. That said, Microsoft has advised that there are problems with the “first build” or out-of-box installation of this latest Microsoft release. We suggest that our enterprise readers wait until the next release before serious testing and deployment.

Major Revisions 

This October Patch Tuesday has Microsoft publishing the following major revisions: 

• CVE-2024-38163: Windows Update Stack Elevation of Privilege Vulnerability. This is a low-level administrator (WinRe) vulnerability that has neither been publicly exploited nor disclosed. This is a documentation update, and no further action is required.
• CVE-2024-38016: Microsoft Office Visio Remote Code Execution Vulnerability. This “remote code” security issue actually requires local access to succeed. It has not been reported as exploited in the wild and Microsoft has provided an official fix. This is a documentation update only and does not require further action. 

Testing Guidance

Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this October release cycle from Microsoft, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Microsoft SQL Server

With two updates to Microsoft SQL Server this month, desktop (or client) testing will be required for data-driven applications. We recommend that the following SQL-related tests are included in the testing cycle for October:

• Validate SQL Commands and stored procedures.
• Ensure data “Refresh” operations perform correctly with Microsoft Active Data (ADOX) objects. These are difficult operations to debug due to the generally large number of inter-connected objects (databases and systems) and the business criticality of these systems. Start early on this testing effort.
• Test out queries that accept large numbers of parameters. SQL parameter boundary testing is probably a good idea.

Windows

While the primary testing scenario for this October update is really to test PRINTING, there is a huge amount to test this month. Microsoft has made significant changes to broad areas in networking, low-level changes to the Kernel and graphics handler (GDI) and updates to core features including Microsoft Hyper-V. A feature-by-feature testing regime should include the following

• Networking: Test large file transfers (include IPv6) over remote desktop connections, VPNs and varied network conditions. Web browsing tests should include multiple simultaneous connections and messaging applications such as Microsoft Teams should be included in this testing cycle.
• Security: Ensure that (internal) code still performs cryptographic functions accurately using RSA keys. Authentication should work correctly between both Microsoft and Linux systems. A validation of Kerberos client authentication will also be required.
• Remote Desktop: updates to Microsoft Routing and Remote Access Server (RRAS) server will require remote access administrative action testing. Remote desktop licensing will require functionality testing. The remote desktop related APIs MprConfigFilterSetInfo and MprInfoBlockRemove  have been updated, so internally developed systems that connect with RRAS will require an authentication test.
• Windows Error Logs: Due to a change in the Windows Common Logging File System (CLFS) a quick test of resultant container files is required.

The primary focus of this month’s update cycle should be on testing printing (again). Rather than a simple (does it actually print) test, more complex print related testing regimes are required this month, including:

• Validating text rendering and formatting for entire documents
• Starting, stopping and disabling printer queues
• Printing across a “matrix” of 32- and 64-bit platforms that includes variations of both desktop and server environments. I feel here that the main challenges will be found with 32-bit applications on 64-bit platforms (Adobe Reader, we are looking at you). 
• Install and uninstall 3rd party software management software on both 32-bit and 64-bit platforms.

Windows Lifecycle and Enforcement Updates 

This section will contain important changes to servicing, significant feature depredations and security related enforcements across the Windows desktop and server platforms.

• Windows 11 Enterprise Version 21H2 will lose Microsoft servicing support on October 8th, 202.

Mitigations and Workarounds 

For this October update cycle, Microsoft has published the following mitigations that are applicable to this Patch Tuesday.

• CVE-2024-43609: Microsoft Office Spoofing Vulnerability. Microsoft has published additional documentation on setting Group Policy Objects (GPOs) referencing the Restrict Outgoing NTLM traffic to remote servers policy that will reduce the scope of this security issue through improved connection request auditing and reporting.
• CVE-2024-38124: Windows Netlogon Elevation of Privilege Vulnerability. While not offering specific settings or security configurations, Microsoft does offer some advice on how to reduce the impact of this Windows vulnerability with industry best practice guidance on server naming conventions, name change reporting/auditing and employing multi-factor authentication.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange Server 
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (if you get this far) 

Browsers 

Microsoft has released just three updates for the Chromium browser project that are specific to Microsoft Edge:

• CVE-2024-7025: Integer overflow in Layout.
• CVE-2024-9369: Insufficient data validation in Mojo.
• CVE-2024-9370: Inappropriate implementation in V8.

The Chromium project has provided a very handy dashboard for their latest releases and their testing status. Add these Microsoft browser updates to your standard release schedule.

Windows 

Microsoft has released 1 critical patch with a critical rating and a further 92 patches rated as important by Microsoft. This month the following key Windows features have been updated:

• Windows Kernel and Graphics
• Microsoft SQL and OLE DB provider for SQL
• Windows Print, Telephony and FAX
• Windows NTFS, storage port and Common Log Systems
• Remote Desktop and Networking

Unfortunately, Microsoft is addressing five zero-days (CVE-2024-43573, CVE-2024-6197, CVE-2024-20659, CVE-2024-43572 and CVE-2024-43583) due to reports of public disclosure and exploits in the wild. Add these Windows updates to your “Patch Now” release schedule.

Microsoft Office 

Microsoft has published six updates (all rated as important by Microsoft) for the Microsoft Office platform. These updates do not include any preview pane or reported zero-click vulnerabilities and only affect Excel and SharePoint. Add these updates to your standard Office update schedule.

Microsoft SQL (nee Exchange) Server 

No updates for Microsoft Exchange Server this month. However, Microsoft has released two updates to Microsoft SQL Server product group (CVE-2024-43481 and CVE-2024-43612) that will require adding to your standard server update schedule.

Microsoft Development Platforms 

Microsoft has released a single update rated as critical this October (CVE-2024-43488) to Visual Studio and eight further updates (all rated as important by Microsoft) to the Microsoft .NET platform. None of these security issues have been reported as exploited or publicly disclosed and so the Readiness team recommends adding these updates to your standard developer release schedule.

Adobe Reader (And other 3rd party updates) 

Microsoft has not published any Adobe Reader related updates this month. That said, there are critical updates for both Reader and Acrobat that deserve attention. This month, Microsoft has included an update for another 3rd party application (CUR)L) that addresses a free memory buffer overflow vulnerability (CVE-2024-6197) – just like Reader used to do). The assigning CNA for this issue is named as HackerOne – which we find endearing.