Microsoft has released 61 updates for this May Patch Tuesday release with no reports of public disclosures or other zero-days for the Microsoft ecosystem (Windows, Office, .NET) this month. Though there are three updated packages from last month (February) they are just informational changes and no further action is required. The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this March update cycle.
Known Issues
Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms that are included in this update cycle, including the following two reported minor issues:
- Windows devices using more than one (1) monitor might experience issues with desktop icons moving unexpectedly between monitors or other icon alignment issues when attempting to use Co-pilot in Windows. Microsoft is still working on this issue.
- For Exchange Server, Microsoft has published an advisory note; that after you install this latest security update there is no longer support for the Oracle OutsideIn Technology (OIT) or OutsideInModule. For more information, see The OutsideInModule module is disabled after installing the March 2024 service update.
Last month was not a great month for Microsoft in how they communicated updates and revisions. However, March was an exceptionally light month for reported “known issues” for their desktop and server platforms. Our team did not find any of the documentation issues experienced in the recent past. Good job Microsoft!
Major Revisions
This March Patch Tuesday has Microsoft publishing the following major revisions to past Microsoft security and feature updates including:
- CVE-2024-2173, CVE-2024-2174, and CVE-2024-2176 : Chromium: CVE-2024-2173 Out of bounds memory access in V8. These updates relate to recent security patches for the Chromium browser project at Microsoft. No further action required.
Mitigations and Workarounds
Microsoft has published the following vulnerability-related mitigations for this month’s February Patch Tuesday release cycle:
- CVE-2023-28746 Register File Data Sampling (RFDS). We are not certain how to categorise this update from Intel as it relates to a hardware issue with certain Intel chipsets. The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows update enables this 3rd party firmware-based mitigation. More information can be found here.
Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
For this March release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas including:
Microsoft Office
- Visio will need to be tested for larger drawings. CAD drawings are good candidates.
- Microsoft SharePoint will require testing for the upload of large files (> 1 gb).
- Excel will need a test of OLE embedded objects and all linked datasheet macros.
Microsoft .NET and Developer Tools
- PowerShell: the Get-StorageDiagnosticInfo has been updated and so check your DACL (Discretionary Access Control List) for the correct “resultant” settings (e.g. has the correct owner).
Windows
The following core Microsoft features have updated this month including:
- SQL OLE and ODBC: These updates will require a full test cycle of database (DB) connections, SQL commands. We advise running basic SQL commands and trying different SQL servers.
- Hyper-V: Test that virtual machines (VM’s) start, shut down, pause, resume, and then turn off the machine.
- Printing: Both Version 4 (V4) and V3 printer connections will require basic testing
- Telephony and FAX: Microsoft TAPI API’s have been updated, so remember to test your FAXPress servers
- USB Drivers: A basic test of USB devices will be required with a “plug in, copy from and to the USB and detach” cycle.
- Compressed files: a minor update this month will require basic testing of .7z, far, tar, tar.gz files.
One of the key updates to the Windows file system this month is a change to how NTFS handles composite image files which are described by Microsoft as:
”a small collection of flat files that include one or more data and metadata region files, one or more object ID files and one or more file system description files. As a result of their “flatness” CIMs are faster to construct, extract and delete than the equivalent raw directories they contain”.
Basic tests for this update should include creating, mounting, and browsing CIM objects.
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business applications getting the application owner (doing a UAT) to test and approve the testing results is still absolutely essential.
This month Microsoft has made a major (general) update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio.
Windows Lifecycle Update
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.
- Windows 10 21H2 will lose active support in 3 months (June 2024)
- Microsoft .NET Version 7 support ends in 2 months (May 2024)
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office
- Microsoft Exchange Server
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe (if you get this far)
Browsers
Microsoft has released three minor updates to the Chromium based browser (Edge) project this month (CVE-2024-1283, CVE-2024-1284 and CVE-2024-1059) with the following reported vulnerabilities:
- CVE-2024-1060 : Chromium: CVE-2024-1060 Use after free in Canvas
- CVE-2024-1077 : Chromium: CVE-2024-1077 Use after free in Network
- CVE-2024-21399 : Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
In addition to these standard releases, Microsoft has issued these “late” additions to their monthly browser update:
- CVE-2024-26163 : Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2024-26167: Microsoft Edge for Android Spoofing Vulnerability
- CVE-2024-26246: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
All these updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule.
Windows
This February, Microsoft released (another) two critical updates (CVE-2024-21407 and CVE-2024-21408) and 39 patches rated as important to the Windows platform that cover the following key components:
- Windows SQL and OLE DB Provider
- Windows Hyper-V
- Windows Kernel
This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild and if you are on a modern platform (Windows 10/11) all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule.
Microsoft Office
Following a recent trend, Microsoft has released only three updates to the Microsoft Office platform for March (CVE-2024-21448, CVE-2024-21426 and CVE-2024-26199). All three patches have low potential for exploitability and should be added to your regular Microsoft Office update schedule.
Microsoft Exchange Server
Microsoft has (again) released a single update for Exchange Server for this March update cycle with CVE-2024-26198. This update only affects Exchange Server 2016 and 2019 and Microsoft describes the vulnerability as,
“An attack that requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.”
Microsoft rates this single update as important and there are no reports of public disclosure or exploits. Add this update to your regular server update schedule. For Exchange Server admins, we believe that each updated server will require a reboot.
Microsoft Development Platforms
Microsoft has released three updates (CVE-2024-26190, CVE-2024-26165 and CVE-2024-21392 to .NET (Versions 7 and 8) and Microsoft Visual Studio 2022. All three updates to Microsoft development platforms are low-impact and can be included in regular developer patch release efforts.
Adobe Reader (if you get this far)
No Adobe updates for this month of March. Other than the Intel firmware update included in this month’s Microsoft advisories from Intel (CVE-2023-28746), we do not have any 3rd party vendors/ISVs to add to this month’s update schedule.