Patch Tuesday: Microsoft rolls out 90 updates for Home windows, Workplace

With its August Patch Tuesday launch, Microsoft pushed out 90 updates for the Home windows and Workplace platforms. The newest fixes embrace  one other replace for Microsoft Trade (together with with a warning about failed updates to Trade Server 2016 and 2019) and a “Patch Now” suggestion from us for Workplace.

The group at Application Readiness has crafted this useful infographic outlining the dangers related to every of the updates for this month.

Identified points

Every month, Microsoft features a checklist of recognized points affecting the newest replace cycle. For August, they embrace:

• After putting in this replace on visitor digital machines (VMs) operating Home windows Server 2022 on some variations of VMware ESXi, Home windows Server 2022 may not begin up. Microsoft and VMware are each investigating the difficulty.
• Provisioning packages on Home windows 11 model 22H2 (additionally referred to as Home windows 11 2022 Replace) may not work as anticipated. Home windows would possibly solely be partially configured, and the out-of-box expertise may not end or would possibly restart unexpectedly. Provisioning the Home windows gadget earlier than upgrading to Home windows 11 model 22H2 ought to stop the difficulty.

Sadly for these nonetheless utilizing Windows Server 2008 ESU, this month’s replace would possibly fail fully with the message, “Failure to configure Home windows updates. Reverting Adjustments. Don’t flip off your pc.” Microsoft gives some advice on ESU updates, however you would possibly discover you need to wait a short while earlier than you are in a position to efficiently replace legacy Trade servers. Sorry about that.

Main revisions

Microsoft has printed these main revisions masking:

• ADV190023: Microsoft Steerage for Enabling LDAP Channel Binding and LDAP Signing. This newest replace provides the aptitude to allow CBT occasions 3074 & 3075 with occasion supply **Microsoft-Home windows-ActiveDirectory_DomainService** within the Listing Service occasion log.
• ADV230001: Steerage on Microsoft Signed Drivers Being Used Maliciously. Microsoft has introduced that the Aug. 8  Home windows Safety updates (see Safety Updates desk) add further untrusted drivers and driver signing certificates to the Home windows Driver.STL revocation checklist.
• CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability. Microsoft has corrected CVE titles and up to date a number of CVSS scores for the affected merchandise.
• CVE-2023-35389: Microsoft Dynamics 365 On-Premises Distant Code Execution Vulnerability. On this newest replace, Microsoft eliminated Microsoft Dynamics 365 (on-premises) model 9.1, as it’s not affected by the vulnerability. That is an informational change solely. No additional motion required.

Mitigations and workarounds

Microsoft printed the next vulnerability-related mitigations for this launch cycle:

• CVE-2023-35385: Microsoft Message Queuing Distant Code Execution Vulnerability. The Home windows message queuing service, which is a Home windows part, must be enabled for a system to be exploitable by this vulnerability. Verify to see whether or not there’s a service operating named Message Queuing and TCP port 1801 is listening on the machine.
• CVE-2023-36882: Microsoft WDAC OLE DB supplier for SQL Server Distant Code Execution Vulnerability. Microsoft gives the next mitigation recommendation for this critical vulnerability: “In case your surroundings solely connects to recognized, trusted servers and there’s no means to reconfigure present connections to level to a different location (for instance you employ TLS encryption with certificates validation), the vulnerability can’t be exploited.”

Testing steering 

Every month, the Readiness group analyzes the newest Patch Tuesday updates and offers detailed, actionable testing steering. This steering relies on assessing a big utility portfolio and an in depth evaluation of the patches and their potential influence on the Home windows platforms and app installations.

Given the numerous variety of adjustments included this month, I’ve damaged down the testing situations into high-risk and standard-risk teams:

Excessive danger

As all of the high-risk adjustments have an effect on the Microsoft Home windows core kernel and inner messaging subsystem (although we’ve got not seen any printed performance adjustments), we strongly advocate the next targeted testing:

• There have been plenty of important updates to the Microsoft Message Queue (MSMQ). This can have an effect on servers that depend on triggers, routing companies, and multicasting help. Our expectation is that internally developed line-of-business consumer/server functions are probably to be affected and subsequently want elevated consideration and testing this month.

Commonplace danger

• Home windows error reporting has been up to date, so you’ll need to do a “CRUD” check in your Home windows Frequent Log File System (CLFS) logs.
• A gaggle coverage refresh must be included on this testing cycle as a consequence of adjustments within the NT person coverage (each person and machine) recordsdata. Resulting from API adjustments on this function, you may also need to verify file paths to your resultant log recordsdata.
• Microsoft’s Crypto (CNG) APIs have been up to date, so sensible card installations would require testing.
• ODBC functions would require testing once more this month as a consequence of an replace to the SQLOLEDB libraries.

And here is one for Home windows targeted IT directors: Microsoft has up to date the WinSAT API. This device is described by Microsoft:

“The Home windows System Evaluation Software (WinSAT) exposes plenty of courses that assess the efficiency traits and capabilities of a pc. Builders can use this API to develop software program that may entry the efficiency and functionality info of a pc to find out the optimum utility settings based mostly on that pc’s efficiency capabilities.”

All these situations would require important application-level testing earlier than common deployment. Along with these particular testing necessities, we advise a common check of the next printing options:

• Replace all of your print servers and validate that the printer administration software program behaves as anticipated whereas operating print jobs.
• Uninstall any print administration software program after an replace to make sure that your server continues to be operating as anticipated.
• Take a look at all printer producer sorts, utilizing each native and distant printer assessments.

Automated testing will assist with these situations (particularly a testing platform that provides a “delta” or comparability between builds). Nevertheless, to your line-of-business functions, getting the app proprietor (doing UAT) to check and approve the outcomes is completely important.

Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Home windows (each desktop and server);
• Microsoft Workplace;
• Microsoft Trade Server;
• Microsoft Improvement platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (nonetheless right here, however with one other A).

Browsers

Persevering with a welcome development, Microsoft launched 11 updates to its Chromium browser initiatives (Edge) and no patches to its legacy browsers. You’ll be able to learn extra about Microsoft Edge launch notes here, noting that Chrome/Edge updates have been launched on Monday (Aug. 7) not the same old “Patch Tuesday.”

Add these browser updates to your normal patch launch schedule.

Home windows

Microsoft launched three vital updates, 32 rated as essential and one rated as average. All (three) of the vital updates to the Home windows platform relate to the Home windows Message Queuing (MSMQ). Although these vital updates have a score of 9.8 (that is fairly excessive), they haven’t been publicly disclosed or reported as exploited. Not each group will make use of the MSMQ function, so for many groups, the testing profile must be fairly mild. Add these Home windows updates to your normal launch schedule.

Microsoft Workplace

Microsoft has launched three vital updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require instant consideration. Along with these patches, Microsoft has launched 11 updates rated as essential and one rated as average. These 12 updates have an effect on Microsoft Workplace typically and Visio. Add these Workplace updates to your “Patch Now” launch schedule.

Microsoft Trade Server

Earlier than you do something, do not replace your non-English Microsoft Trade Servers (2019 and 2016). This month’s replace will fail mid-way by way of and go away your server in an “undetermined state.” Now that this has (not) been executed, you possibly can attend to the six Trade updates (all rated as essential) for this month. No vital updates confirmed up, so take your time. Observe: all these August patches would require a server reboot. Add these updates to your normal launch schedule. 

Microsoft growth platforms

Microsoft has launched eight updates to the Microsoft .NET and ASP.NET platforms this month. These patches have been rated as essential and must be included in your normal developer launch schedule.

Adobe Reader (nonetheless right here, however with one other A)

Adobe is again. And we’ve got one other “A” to fret about (kinda bizarre, huh?). APSB23-30 from Adobe patches a vital vulnerability in Adobe Reader — add it to your “Patch Now” schedule. And the opposite “A”? Following the current development of supporting third-party patches within the Microsoft replace launch cycle (keep in mind the Autodesk update in June?), Microsoft has launched CVE-2023-20569; it is expounded to an AMD memory-related vulnerability. You’ll be able to learn extra about this on the AMD web site here. 

Patching? Certain. 

Testing? Unsure.