Microsoft's Patch Tuesday release for November delivers 63 updates, with three zero-day flaws affecting Windows and Office. That makes quick patching a must. We are now in the third decade of Microsoft’s monthly Patch Tuesday releases, which deliver fewer critical updates to browsers and Windows platforms — and much more reliable updates to Microsoft Office — than in the early days of patching. But this month, the company rolled out 63 updates (including fixes for three zero-days in Windows and Office). Updates to Microsoft Exchange and Visual Studio can be included in standard patch release cycles, while Adobe needs to be included in your “Patch Now” releases for third-party applications. The team at Readiness has provided a detailed infographic that outlines the risks associated with each of the updates for November. Known issues Microsoft publishes a list of known issues that relate to the operating system and platforms are included in each update. This month, that list includes: File Explorer will crash after KB5031354 is uninstalled on Win11 22H2 platforms. Still Active. Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error. As of now, Microsoft is still working on a resolution. In Skype for Business 2019 and 2015, the Debug-CsIntraPoolReplication cmdlet fails if you use the ConnectionUri parameter during a remote PowerShell session created by using an OcsPowerShell endpoint. If you’re lucky enough to receive access to Microsoft’s Windows AI Copilot this month, you might experience a display issue with your desktop icons unexpectedly moving from one display to another — and then moving back to the original display. Don’t worry, there is no ghost in the machine. Oh, wait…. Major revisions At this point, Microsoft has published three major revisions that require attention for this cycle, including: CVE-2023-36008: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability CVE-2023-36026: Microsoft Edge (Chromium-based) Spoofing Vulnerability CVE-2023-6112: Chromium: CVE-2023-6112 Use after free in Navigation All of these revisions were for informational purposes only, and do not require additional action. Mitigations and workarounds Microsoft published the following vulnerability-related mitigations for this Patch Tuesday release: CVE-2023-38151: Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability. Microsoft has advised that the target system must have installed Microsoft OLE DB Provider for DB2 Server Version 7.0 to be vulnerable. CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. The Windows message queuing service, which is a Windows component, must be enabled for a system to be exploitable by this vulnerability. This feature can be verified via the Windows Control Panel. CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability. PEAP)is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP. If you are not running this service, your systems are not vulnerable to this issue. Testing guidance Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations. Microsoft has made a major update to a minor file system management feature this month, with changes to how Storage Sense updates and removes old and temporary files. There is an excellent video explainer, and as Microsoft explains: “(Storage Sense) will run when your device is low on disk space and will clean up unnecessary temporary files. Content from the Recycle Bin will be deleted by default after some time, but items in your Downloads folder and OneDrive (or any other cloud provider) will not be touched unless you set up Storage Sense to do so. Our testing process raises a few concerns when the Windows file system has been updated, so we have included a few additional steps to validate this month’s changes: Run Storage Sense (this may be your first time). Delete all temporary files in the following path c:users, %SYSTEM_PATHS% including nested folders. Confirm that only old files (older than the date set in your Storage Sense settings) are deleted. Confirm that file memory.dmp (older than your set threshold) deletes correctly. The following changes in this month’s update are not seen as high risk (for unexpected outcomes) and do not include functional changes: Microsoft DHCP services have been updated. Test your multi-server failover operations by sending a “failover” message to another running server. VPN Update: connect to your enterprise VPN multiple times, with mid-session disconnects. Include basic internet browsing, large file uploads/downloads and video streaming. Your VHD creation process will need a quick test — mount/unmount a VHD file with a CRUD test (Create/Read/Update/Delete). BitLocker has been updated. Turn on BitLocker and reboot. Confirm that the reboot sequence has not been affected by this update. There has also been a major update to how Windows handles file compression. Following last month’s WinRAR security issues, Microsoft now supports archive formats that include tar, .7zip,. rar,.tar.gz. Readiness strongly suggests removing (a full, validated uninstall) WinRAR and other third-party compression utilities. Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business apps, getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential. Windows lifecycle update This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms. ESU Year 1 for Windows Server 2012 and Windows Server 2012 R2 started on Oct. 11, 2023. Note: All Security Only and Monthly Rollup packages are now in ESU and require an ESU license. From now on, Security Only packages will no longer be published for Windows Server 2012 and Windows Server 2012 R2. This is to simplify publishing of ESU packages, align to the cumulative servicing model, and avoid fragmentation problems. You can read more about the recent changes at the Lifecycle update page. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge). Microsoft Windows (both desktop and server). Microsoft Office. Microsoft Exchange Server. Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core). Adobe (retired???, maybe next year). Browsers Microsoft has adopted the Chromium release schedule and no longer specifically publishes updates on Patch Tuesday. That said, 14 updates to the Chromium project Edge browser were released this month (none critical, and no zero-days for Microsoft or Chromium). For more information on Microsoft Edge security updates refer to the weekly updated Microsoft support page. Add these updates to your standard patch release schedule. Windows Microsoft released two critical updates and 30 patches rated important to the Windows platform that cover the following key components: Windows Hyper-V. Windows Internet Connection Sharing (ICS). Microsoft Bluetooth Driver. Windows Scripting. Windows Kernel. Windows Compressed Folder (see our notes on file compression for context). The real concern this month are the two publicly reported (and exploited) vulnerabilities: CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability. This is a real zero-day that requires immediate attention. In the words of the Microsoft security team, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.“ CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This is not as bad as 36033, but a successful attack (of which there are many reports) will lead to complete system access on the compromised system. So, yeah. Not good. Here is this month’s Windows 11 release video. Otherwise, add this update to your “Patch Now” release schedule. Microsoft Office Microsoft published five low-profile updates rated as important. That said, CVE-2023-36413 (a publicly reported security bypass vulnerability) is a distinctly dangerous security issue that only affects recent versions of Microsoft Office (Office 365 and Office 2019/2021) and will require immediate attention. If you are using older versions of Office, add these updates to your standard release schedule. If you are up to date, then add these Office updates to your “Patch Now” timeline. And, yes — we think that this should be the other way around as well. Microsoft Exchange Server Microsoft released four updates to the now-venerable Exchange Server (we wanted to say “vulnerable”) this month. Though these updates may be a pain for Exchange administrators (no special instructions, but a reboot will be required), but these are fully confirmed fixes for difficult to exploit, non-“wormable” issues. All four issues (CVE-2023-36439, CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035) require full administrator access and as of now have not been reported as exploited or publicly reported. Add these low-profile updates to your standard server release schedule. Microsoft development platforms Microsoft released six updates, all rated important, that affect Visual Studio and .NET/ASP.NET. All currently supported versions of both product groups are affected. These issues could lead to elevation-of-privilege and spoofing attacks. With no critical-rated or remote code execution scenarios to manage, add these developer updates to your standard developer release schedule. Adobe Reader (still here, but not this month) We’re starting to get the hang of Adobe’s release schedule with this month’s anticipated year-end update to their core products — including Adobe Reader — with the release of APSB23-02. This is a critical-rated update for Reader and will require immediate attention. Given the recent changes to Microsoft’s enthusiasm for third-party tools , you have to wonder how long Adobe Reader has before Microsoft decides enough is enough. Related content feature Microsoft's Patch Tuesday updates: Keeping up with the latest fixes Here's a look at the most recent Patch Tuesday release from Microsoft as well as a collection of recent updates so you can track what's changed. By Dan Muse Aug 16, 2024 5 mins Microsoft Microsoft Office Windows 10 opinion For August, Patch Tuesday means patch now Microsoft’s monthly update for August includes fixes for six — yes, six — zero-day flaws affecting Windows and Office. By Greg Lambert Aug 16, 2024 10 mins Microsoft Microsoft Office Windows Security feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 27686 for the Canary Channel, released on Aug. 15, 2024. By Preston Gralla Aug 16, 2024 285 mins Small and Medium Business Microsoft Windows 11 news Microsoft rolls out Face Check selfie verification system Powered by the Azure AI Vision Face API, Face Check uses real-time selfies to confirm an employee’s identity. By Matthew Finnegan Aug 15, 2024 2 mins Identity Management Solutions Microsoft Identity and Access Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe