With its August Patch Tuesday release, Microsoft pushed out 90 updates for the Windows and Office platforms. The latest fixes include another update for Microsoft Exchange (along with with a warning about failed updates to Exchange Server 2016 and 2019) and a “Patch Now” recommendation from us for Office.
The team at Readiness has crafted this useful infographic outlining the risks associated with each of the updates for this month.
Each month, Microsoft includes a list of known issues affecting the latest update cycle. For August, they include:
- After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Microsoft and VMware are both investigating the issue.
- Provisioning packages on Windows 11 version 22H2 (also called Windows 11 2022 Update) might not work as expected. Windows might only be partially configured, and the out-of-box experience might not finish or might restart unexpectedly. Provisioning the Windows device before upgrading to Windows 11 version 22H2 should prevent the issue.
Unfortunately for those still using Windows Server 2008 ESU, this month’s update might fail completely with the message, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer.” Microsoft offers some advice on ESU updates, but you might find you have to wait a little while before you’re able to successfully update legacy Exchange servers. Sorry about that.
Microsoft has published these major revisions covering:
- ADV190023: Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing. This latest update adds the capability to enable CBT events 3074 & 3075 with event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log.
- ADV230001: Guidance on Microsoft Signed Drivers Being Used Maliciously. Microsoft has announced that the Aug. 8 Windows Security updates (see Security Updates table) add additional untrusted drivers and driver signing certificates to the Windows Driver.STL revocation list.
- CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability. Microsoft has corrected CVE titles and updated one or more CVSS scores for the affected products.
- CVE-2023-35389: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. In this latest update, Microsoft removed Microsoft Dynamics 365 (on-premises) version 9.1, as it is not affected by the vulnerability. This is an informational change only. No further action required.
Mitigations and workarounds
Microsoft published the following vulnerability-related mitigations for this release cycle:
- CVE-2023-35385: Microsoft Message Queuing Remote Code Execution Vulnerability. The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. Check to see whether there is a service running named Message Queuing and TCP port 1801 is listening on the machine.
- CVE-2023-36882: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability. Microsoft offers the following mitigation advice for this serious vulnerability: “If your environment only connects to known, trusted servers and there is no ability to reconfigure existing connections to point to another location (for example you use TLS encryption with certificate validation), the vulnerability cannot be exploited.”
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.
Given the significant number of changes included this month, I’ve broken down the testing scenarios into high-risk and standard-risk groups:
As all the high-risk changes affect the Microsoft Windows core kernel and internal messaging subsystem (though we have not seen any published functionality changes), we strongly recommend the following focused testing:
- There have been a number of significant updates to the Microsoft Message Queue (MSMQ). This will affect servers that rely on triggers, routing services, and multicasting support. Our expectation is that internally developed line-of-business client/server applications are most likely to be affected and therefore need increased attention and testing this month.
- Windows error reporting has been updated, so you will need to do a “CRUD” test on your Windows Common Log File System (CLFS) logs.
- A group policy refresh should be included in this testing cycle due to changes in the NT user policy (both user and machine) files. Due to API changes in this feature, you might also want to check file paths for your resultant log files.
- Microsoft’s Crypto (CNG) APIs have been updated, so smart card installations will require testing.
- ODBC applications will require testing again this month due to an update to the SQLOLEDB libraries.
And here’s one for Windows focused IT administrators: Microsoft has updated the WinSAT API. This tool is described by Microsoft:
“The Windows System Assessment Tool (WinSAT) exposes a number of classes that assess the performance characteristics and capabilities of a computer. Developers can use this API to develop software that can access the performance and capability information of a computer to determine the optimal application settings based on that computer’s performance capabilities.”
All these scenarios will require significant application-level testing before general deployment. In addition to these specific testing requirements, we suggest a general test of the following printing features:
- Update all your print servers and validate that the printer management software behaves as expected while running print jobs.
- Uninstall any print management software after an update to ensure that your server is still running as expected.
- Test all printer manufacturer types, using both local and remote printer tests.
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line-of-business applications, getting the app owner (doing UAT) to test and approve the results is absolutely essential.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (still here, but with another A).
Continuing a welcome trend, Microsoft released 11 updates to its Chromium browser projects (Edge) and no patches to its legacy browsers. You can read more about Microsoft Edge release notes here, noting that Chrome/Edge updates were released on Monday (Aug. 7) not the usual “Patch Tuesday.”
Add these browser updates to your standard patch release schedule.
Microsoft released three critical updates, 32 rated as important and one rated as moderate. All (three) of the critical updates to the Windows platform relate to the Windows Message Queuing (MSMQ). Though these critical updates have a rating of 9.8 (that’s pretty high), they have not been publicly disclosed or reported as exploited. Not every organization will make use of the MSMQ feature, so for most teams, the testing profile should be pretty light. Add these Windows updates to your standard release schedule.
Microsoft has released three critical updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require immediate attention. In addition to these patches, Microsoft has released 11 updates rated as important and one rated as moderate. These 12 updates affect Microsoft Office in general and Visio. Add these Office updates to your “Patch Now” release schedule.
Microsoft Exchange Server
Before you do anything, don’t update your non-English Microsoft Exchange Servers (2019 and 2016). This month’s update will fail mid-way through and leave your server in an “undetermined state.” Now that this has (not) been done, you can attend to the six Exchange updates (all rated as important) for this month. No critical updates showed up, so take your time. Note: all these August patches will require a server reboot. Add these updates to your standard release schedule.
Microsoft development platforms
Microsoft has released eight updates to the Microsoft .NET and ASP.NET platforms this month. These patches were rated as important and should be included in your standard developer release schedule.
Adobe Reader (still here, but with another A)
Adobe is back. And we have another “A” to worry about (kinda weird, huh?). APSB23-30 from Adobe patches a critical vulnerability in Adobe Reader — add it to your “Patch Now” schedule. And the other “A”? Following the recent trend of supporting third-party patches in the Microsoft update release cycle (remember the Autodesk update in June?), Microsoft has released CVE-2023-20569; it is related to an AMD memory-related vulnerability. You can read more about this on the AMD site here.
Testing? Not sure.