Patch Office and Windows now to resolve two zero-days
Microsoft
has
resolved
80
new
CVEs
this
month
in
addition
to
four
earlier
CVEs,
bringing
the
number
of
security
issues
addressed
in
this
month’s
Patch
Tuesday
release
to
84.
Microsoft
has
resolved
80
new
CVEs
this
month
in
addition
to
four
earlier
CVEs,
bringing
the
number
of
security
issues
addressed
in
this
month’s
Patch
Tuesday
release
to
84.Â
Unfortunately,
we
have
two
zero-day
flaws
in
Outlook
(CVE-2023-23397)
and
Windows
(CVE-2023-24880)
that
require
a
“Patch
Now”
release
requirement
for
both
Windows
and
Microsoft
Office
updates.
As
it
was
last
month,
there
were
no
further
updates
for
Microsoft
Exchange
Server
or
Adobe
Reader.
This
month
the
team
at Application
Readiness
has
provided
a
helpful
infographic
that
outlines
the
risks
associated
with
each
of
the
updates
for
this
cycle.
Known
issues
Each
month,
Microsoft
includes
a
list
of
known
issues
that
relate
to
the
operating
system
and
platforms
included
in
the
update
cycle.
-
KB5022842:
After
installing
KB5022842
on
Windows
Server
2022
with
Secure
Boot
enabled
and
rebooting
twice,
the
VMware
VM
failed
to
boot
using
the
new
bootmgr.
This
issue
is
still
under
consideration
by
Microsoft.
After
installing
this
update,
WPF
apps
may
have
a
change
in
behavior. -
After
installing
this
month’s
Windows
update
on
guest
virtual
machines
(VMs)
running
Windows
Server
2022
on
some
versions
of
VMware
ESXi,
Windows
Server
2022
might
not
start.
Microsoft
is
still
working
on
a
network
performance
issue
with
Windows
11
22H2.
Large
(multi-gigabyte)
network
file
transfers
(and
potentially
similarly
large
local
transfers)
are
affected.
This
issue
should
mainly
affect
IT
administrators.
Major
revisions
Microsoft
published
four
major
revisions
this
month
covering:
-
VE-2023-2156:
Microsoft
SQL
Server
Integration
Service
(VS
extension)
Remote
Code
Execution
Vulnerability. -
CVE-2022-41099:
Title:
BitLocker
Security
Feature
Bypass
Vulnerability. -
CVE-2023-21716:
Microsoft
Word
Remote
Code
Execution
Vulnerability. -
CVE-2023-21808
.NET
and
Visual
Studio
Remote
Code
Execution
Vulnerability.
All
of
these
revisions
were
due
to
documentation
and
expanded
affected
software
updates.
No
further
action
is
required.
Mitigations
and
workarounds
Microsoft
published
the
following
vulnerability
related
mitigations
for
this
month’s
release:
-
CVE-2023-23392:
HTTP
Protocol
Stack
Remote
Code
Execution
Vulnerability.
A
prerequisite
for
a
Windows
2022
server
to
be
vulnerable
to
this
security
issue
is
that
the
network
binding
has
HTTP/3
enabled
and
the
server
uses
buffered
I/O.
Enabling
HTTP/3
is
discussed
here:
Enabling
HTTP/3
support
on
Windows
Server
2022. -
CVE-2023-23397:
Microsoft
Outlook
Elevation
of
Privilege
Vulnerability.
Microsoft
has
published
two
mitigations
for
this
serious
security
issue:
-
Add
users
to
the
Protected
Users
Security
Group,
which
prevents
the
use
of
NTLM
as
an
authentication
mechanism. -
Block
TCP
445/SMB
outbound
from
your
network
by
using
a
perimeter
firewall,
a
local
firewall,
and
via
your
VPN
settings.
Testing
guidanceÂ
Each
month,
the
team
at
Readiness
analyzes
the
Patch
Tuesday
updates
and
provides
detailed,
actionable
testing
guidance;
that
guidance
is
based
on
assessing
a
large
application
portfolio
and
a
detailed
analysis
of
the
Microsoft
patches
and
their
potential
impact
on
the
Windows
platforms
and
application
installations.
Given
the
large
number
of
changes
included
this
month,
I
have
broken
down
the
testing
scenarios
into
high-risk
and
standard-risk
groups.
High
risk
Microsoft
published
several
high
risk
changes
in
the
March
update.
While
they
may
not
lead
to
functionality
changes,
the
testing
profile
for
each
update
should
be
mandatory:
-
Microsoft
has
updated
how
DCOM
responds
to
remote
requests
as
part
of
the
recent
hardening
effort.
This
process
has
been
under
way
since
June
2021
(Phase
1),
with
an
update
in
June
2022
(Phase
2)
and
now
this
month
with
all
changes
 implemented
as
mandatory.
DCOM
is
a
core
Windows
component
used
for
communicating
between
services
or
processes.
Microsoft
has
advised
that
this
(and
full
deployment
of
past
recommendations)
will
cause
application-level
compatibility
issues.
The
company
has
offered
some
support
on what
is changing
and how
to
mitigate
any compatibility issues as
a
result
of
these
recent
mandatory
settings. -
A
major
change
to
the
core
system
file
Win32kfull.sys
has
been
included
this
month
as
two
functions
(DrvPlgBlt
and
nf-wingdi-plgblt)Â have
been
updated.
Microsoft
has
advised
there
are
no
functional
changes
to
these
functions.
Testing
applications
that
depend
on
these
functions
will
be
essential
before
a
full
deployment
of
this
month’s
updates.
These
scenarios
require
significant
application-level
testing
before
general
deployment.
-
Bluetooth:
Try
adding
and
removing
new
Bluetooth
devices.
Stressing
Bluetooth
network
devices
would
be
highly
advised. -
Windows
Network
stack
(TCPIP.SYS):
Basic
web
surfing,
“normal”
file
transfers
and
video
streaming
should
be
sufficient
to
test
the
changes
to
the
Windows
networking
stack. -
Hyper-V:
Try
testing
both
Gen1
and
Gen2
virtual
machines
(VM’s).
Both
types
of
machines
should
start,
stop,
shut
down,
pause,
and
resume
successfully.
In
addition
to
these
changes,
Microsoft
updated
a
key
memory
function
(D3DKMTCreateDCFromMemory)
that
affects
two
key
system-level
Windows
drivers
(win32kbase.sys
and
win32kfull.sys).
Unfortunately,
in
past
updates
to
these
drivers,
some
users
have
generated
BSOD
SYSTEM_SERVICE_EXCEPTION
errors.
Microsoft
has
posted information
on
how
to
manage
these
issues.
Hopefully
you
don’t
have
to
resolve
these
kinds
of
issues
this
month.
Windows
lifecycle
update
This
section
contains
important
changes
to
servicing
(and
most
security
updates)
to
Windows
desktop
and
server
platforms
over
the
next
few
months:
-
Windows
10
Enterprise
(and
Education),
Version
20H2
and
Windows
10
IoT
Enterprise,
and
Windows
Version
20H2
will
reach
an
end
of
servicing
date
on
May
9,
2023.
Each
month,
we
break
down
the
update
cycle
into
product
families
(as
defined
by
Microsoft)
with
the
following
basic
groupings:
-
Browsers
(Microsoft
IE
and
Edge). -
Microsoft
Windows
(both
desktop
and
server). -
Microsoft
Office. -
Microsoft
Exchange
Server. -
Microsoft
Development
platforms
(ASP.NET
Core,
.NET
Core
and
Chakra
Core). -
Adobe
(retired???,
maybe
next
year).
Browsers
There
were
22
updates
for
March
(none
rated
critical),
with
21
included
in
the
Google
release
channel
and
one
(CVE-2023-24892)
from
Microsoft.
All
these
updates
are
easy-to-deploy
updates
with
marginal
to
low
deployment
risk.
You
can
find
Microsoft’s
version
of these
release
notes here
and
the Google
Desktop
channel
release
notes here.
Add
these
updates
to
your
standard
patch
release
schedule.
Windows
Microsoft
released
10
critical
updates
and
48
patches
rated
as
important
to
the
Windows
platform
that
cover
the
following
key
components:
-
Microsoft
Printer
Postscript
Drivers. -
Windows
Bluetooth
Service. -
Windows
Win32K
and
Core
Graphics
components
(GDI). -
Windows
HTTP
Protocol
Stack
and
PPPoE.
Other
than
the
recent
change
to
DCOM
authentication
(see
DCOM
hardening)
most
of
this
month’s
updates
have
a
very
low
risk
profile.
We
have
a
minor
update
to
a
printing
subsystem
(Postscript
6)
and
other
tweaks
to
network
handling,
storage,
and
graphics
components.
Unfortunately,
we
have
a
real
zero-day issue with
Windows
(CVE-2023-24880)
SmartScreen
(aka
Windows
Defender)
with
reports
of
both
exploitation
and
a
public
disclosure.
As
a
result,
add
these
Windows
updates
to
your
“Patch
Now”
release
schedule.
Microsoft
Office
Microsoft
released
11
updates
to
the
Microsoft
Office
platform
with
one
rated
as
(super)
critical
and
the
remaining
updates
rated
important
and
affecting
just
Excel
and
SharePoint.
Unfortunately,
the
Microsoft
Outlook
update
(CVE-2023-23397)
will
have
to
be
patched
immediately.
I
have
included
recommendations
offered
by
Microsoft
in
our
mitigations
section
above
which
include
adding
users
to
a
higher
security
group
and
blocking
ports
445/SMB
on
your
network.
Given
the
low
risk
of
breaking
other
apps
and
the
ease
of
deployment
of
this
patch,
I
have
another
idea:
add
these
Office
updates
to
your
“Patch
Now”
release
schedule.
Microsoft
Exchange
Server
No
Microsoft
Exchange
updates
required
this
month.
That
said,
there
is
a
particularly
worrying
issue
with
Microsoft
Outlook
(CVE-2023-23397)
that
will
be
enough
for
any
mail
administrator
to
handle
this
month.
Microsoft
development
platforms
This
is
a
very
light
patch
cycle
for
Microsoft
development
platforms
with
just
four
updates
to
Visual
Studio
(GitHub
extensions)
this
month.
All
these
updates
are
rated
as
important
by
Microsoft
and
have
a
very
low
deployment
risk
profile.
Add
these
updates
to
your
standard
developer
release
schedule.Â
Adobe
Reader
(still
here,
but
just
not
this
month)
We
may
be
seeing
a
trend
here
as
Adobe
has
not
released
any
updates
for
Adobe
Reader.
It
is
also
interesting
that
this
is
the
first
month
in
nine
that
Microsoft
has
not
released
any
critical
updates
to
its
XPS,
PDF
or
printing
system.
So,
no
mandatory
printer
testing
is
required.