May's Patch Tuesday update includes 3 zero
By Greg Lambert, Contributor, Computerworld |
Greg Lambert evaluates the risks to existing applications and environments in each month's Patch Tuesday cycle.
In it's May update, Microsoft addressed 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio. And with three zero-day flaws to urgently address in Windows (CVE-2023-24932, CVE-2023-29325 and CVE-2023-29336), the focus this month needs to be on rapidly updating both Windows and Microsoft Office. Both platforms get our "Patch Now" recommendation.
Testing for this patch cycle must include validating Windows secure boot, remote desktop and VPN transfers, and ensuring that Microsoft Outlook handles document (RTF and DOC) files correctly. The team at Application Readiness has crafted this helpful infographic to outline the risks associated with each of the updates for this cycle.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest updates. For May, these include:
One issue that still affects all versions of Windows 10 (as it hasfor the past three months) is that kiosk device profiles are still not signing in automatically. Microsoft is working on a fix. And for those looking for some redeeming value in gaming updates (who isn't these days?) Red Dead Redemption 2 is now reported to be able to start up. Well done.
This month, there have not been any CVEs updated or major revisions to previous patches.
Microsoft has not published any further mitigations or workarounds for this month's patches.
Each month, the team at Readiness analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. The guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows and application installations.)
Given the large number of system-level changes included this cycle, I have broken down the testing scenarios into standard and high-risk profiles.
Microsoft made significant changes this month to the TPM Module, in particular, Secure Boot and BitLocker. The Readiness team suggests the following basic tests for this update:
We are unsure about the validity of recovery media once this May Patch Tuesday update has been applied. Your boot recovery media might/will fail if made on systems prior to this update. Once you have performed this update you will need to ensure full backups are completed and tested. This scenario affects both Windows 11 (22H2) desktops and Windows Server 2022.
The following changes included in this month's update have not been raised as either high risk tweaks and do not include functional changes.
All these testing scenarios require significant application-level testing before general deployment. Given the nature of changes included in these patches, the Readiness team recommends that you:
Automated testing will help with these scenarios (especially using a testing platform that offers a "delta" or comparison between builds). For line-of-business applications that involve getting the application owner (doing UAT) to test and approve the testing results, this is still essential.
This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft released 11 low-profile updates to its browser portfolio, all of which have been rated important. For those still using the older code base (IE), the retired out-of-support Internet Explorer 11 desktop application was permanently turned off as part of the February Windows security update ("B" release). Add these updates to your standard patch release schedule.
This month, Microsoft released five critical updates and 22 patches rated important to the Windows platform; they cover the following key components:
At first glance, the May Windows release seemed to be pretty light, with a lower-than-normal number of critical updates. However, Microsoft identified and addressed a vulnerability in the Windows secure boot process so complex that a staged release is required. Identified as CVE-2023-24932, Microsoft warns that this vulnerability allows an "attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled."
Yep — you heard that right — your secure boot process has been compromised (brought to you by Black Lotus). As mentioned in the testing guidance section above, boot media must be carefully analyzed; otherwise, "bricked" servers are a real possibility. Before proceeding, read this updated guidance for CVE-2023-24932, with some further reading on the Black Lotus campaign available here.
Add this update to your "Patch Now" release schedule.
Microsoft released one critical update to SharePoint Server this month. In addition to this, six other updates rated important affecting Word, Excel and Teams arrived. The focus needs to be on Microsoft Outlook (CVE-2023-29324) with an updated patch (to a previous mitigation) to resolve a serious elevation of privilege (EOP) vulnerability. Microsoft published an update(d) mitigation document to explain this serious security issue.
Though the Windows OLE related vulnerability (CVE-2023-29325) should be included in this month's Windows section, the real problem with this core system library involves how Microsoft Outlook handles RTF and Word Doc "open" requests. We have not had any reports of these other Microsoft Office related vulnerabilities being exploited in the wild nor any public disclosures for Excel. Given the urgency of these Microsoft Outlook and core Microsoft Office (OLE) patches, add these Office updates to your "Patch Now" release schedule.
Great news: no Exchange Server updates this cycle.
Microsoft released just two updates this month (CVE-2023-29338 and CVE-2023-29343), both rated important. Affecting only Visual Studio and Sysmon (thank you, Mark) there is a very low testing profile for either update. Add these updates to your standard developer release schedule.
Adobe Reader (still here, but not this month)
Happy Days! No Adobe Reader updates from Microsoft for May.
Greg Lambert is an evangelist for Application Readiness, the online assessment and application conversion specialists. Greg is a co-founder of ChangeBASE, and now CEO of Application Readiness, and has considerable experience with application packaging technology and its deployment.
Copyright © 2023 IDG Communications, Inc.
Known issues Major revisions Mitigations and workarounds Testing guidance High risk Standard risk Windows lifecycle update Browsers Windows Microsoft Office Microsoft Exchange Server Microsoft development platforms Adobe Reader (still here, but not this month)