Americas

  • United States

Asia

greglambert
Contributor

May’s Patch Tuesday update includes 3 zero-day flaws; fix them ASAP

opinion
May 11, 20237 mins
MicrosoftMicrosoft OfficeSecurity

Microsoft this week rolled out fixes for 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio — including three zero-day flaws that should be patched immediately.

In it’s May update, Microsoft addressed 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio. And with three zero-day flaws to urgently address in Windows (CVE-2023-24932, CVE-2023-29325 and CVE-2023-29336), the focus this month needs to be on rapidly updating both Windows and Microsoft Office. Both platforms get our “Patch Now” recommendation.

Testing for this patch cycle must include validating Windows secure boot, remote desktop and VPN transfers, and ensuring that Microsoft Outlook handles document (RTF and DOC) files correctly. The team at Application Readiness has crafted this helpful infographic to outline the risks associated with each of the updates for this cycle.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest updates. For May, these include:

  • After installing the April and/or later updates, Windows devices with some third-party UI customization apps might not launch. Startallback and ExplorerPatcher have released a fix for these respective UI issues.
  • After installing the May update on guest virtual machines (VMs) running Windows Server 2022, some versions of VMware ESXi, Windows Server 2022 might not start up. Both Microsoft and VMWare are working (together??) on a resolution.

One issue that still affects all versions of Windows 10 (as it hasfor the past three months) is that kiosk device profiles are still not signing in automatically. Microsoft is working on a fix. And for those looking for some redeeming value in gaming updates (who isn’t these days?) Red Dead Redemption 2 is now reported to be able to start up. Well done.

Major revisions

This month, there have not been any CVEs updated or major revisions to previous patches.

Mitigations and workarounds

Microsoft has not published any further mitigations or workarounds for this month’s patches.

Testing guidance

Each month, the team at Readiness analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. The guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows and application installations.)

Given the large number of system-level changes included this cycle, I have broken down the testing scenarios into standard and high-risk profiles.

High risk

Microsoft made significant changes this month to the TPM Module, in particular, Secure Boot and BitLocker. The Readiness team suggests the following basic tests for this update:

  • Target systems should boot as expected with both Secure Boot and BitLocker enabled.
  • Systems should boot (successfully) with BitLocker enabled, and Secure Boot turned off.
  • Try the following boot scenarios: USB Boot, DVD Boot, ISO Boot.
  • Test your backups after you have updated the secure boot system.
  • Ensure that your OS file system restores operate as expected once the update is applied.

We are unsure about the validity of recovery media once this May Patch Tuesday update has been applied. Your boot recovery media might/will fail if made on systems prior to this update. Once you have performed this update you will need to ensure full backups are completed and tested. This scenario affects both Windows 11 (22H2) desktops and Windows Server 2022.

Standard risk

The following changes included in this month’s update have not been raised as either high risk tweaks and do not include functional changes.

  • Exercise your applications using Microsoft LDAP Connect/Bind Command. Try this using SLL and without.
  • The key system file WIN32K.SYS has been updated, which may affect application menus.
  • Test applications that set up or configure monitors.
  • Test your VMs with Defender Application Guard installed and enabled.
  • If you have deployed Microsoft QUIC, test your connectivity over a VPN to your edge servers. This should include internet surfing, email, file uploads, and video streaming.

All these testing scenarios require significant application-level testing before general deployment. Given the nature of changes included in these patches, the Readiness team recommends that you:

  • Test your remote desktop and VPN Connections using SSTP.
  • Test Bluetooth devices (audio and mice).
  • Create, read, update, and delete files on an NFS share.
  • Test printing jobs (both local and remote).

Automated testing will help with these scenarios (especially using a testing platform that offers a “delta” or comparison between builds). For line-of-business applications that involve getting the application owner (doing UAT) to test and approve the testing results, this is still essential.

Windows lifecycle update

This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • All editions of Windows 10 version 20H2 have reached end of service as of May 9.
  • Windows 10 version 21H2 will reach end of service on June 13. Microsoft will continue to service the following editions of Windows 10 21H2: Windows 10 Enterprise and Education, Windows 10 IoT Enterprise, and Windows 10 Enterprise multi-session.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange Server;
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired???, maybe next year).

Browsers

Microsoft released 11 low-profile updates to its browser portfolio, all of which have been rated important. For those still using the older code base (IE), the retired out-of-support Internet Explorer 11 desktop application was permanently turned off as part of the February Windows security update (“B” release). Add these updates to your standard patch release schedule.

Windows

This month, Microsoft released five critical updates and 22 patches rated important to the Windows platform; they cover the following key components:

  • Windows LDAP – Lightweight Directory Access Protocol.
  • Windows Network File System.
  • Windows Secure Socket Tunneling Protocol (SSTP) and PGM.

At first glance, the May Windows release seemed to be pretty light, with a lower-than-normal number of critical updates. However, Microsoft identified and addressed a vulnerability in the Windows secure boot process so complex that a staged release is required. Identified as CVE-2023-24932, Microsoft warns that this vulnerability allows an “attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.”

Yep — you heard that right — your secure boot process has been compromised (brought to you by Black Lotus). As mentioned in the testing guidance section above, boot media must be carefully analyzed; otherwise, “bricked” servers are a real possibility. Before proceeding, read this updated guidance for CVE-2023-24932, with some further reading on the Black Lotus campaign available here.

Add this update to your “Patch Now” release schedule.

Microsoft Office

Microsoft released one critical update to SharePoint Server this month. In addition to this, six other updates rated important affecting Word, Excel and Teams arrived. The focus needs to be on Microsoft Outlook (CVE-2023-29324) with an updated patch (to a previous mitigation) to resolve a serious elevation of privilege (EOP) vulnerability. Microsoft published an update(d) mitigation document to explain this serious security issue.

Though the Windows OLE related vulnerability (CVE-2023-29325) should be included in this month’s Windows section, the real problem with this core system library involves how Microsoft Outlook handles RTF and Word Doc “open” requests. We have not had any reports of these other Microsoft Office related vulnerabilities being exploited in the wild nor any public disclosures for Excel. Given the urgency of these Microsoft Outlook and core Microsoft Office (OLE) patches, add these Office updates to your “Patch Now” release schedule.

Microsoft Exchange Server

Great news: no Exchange Server updates this cycle.

Microsoft development platforms

Microsoft released just two updates this month (CVE-2023-29338 and CVE-2023-29343), both rated important. Affecting only Visual Studio and Sysmon (thank you, Mark) there is a very low testing profile for either update. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but not this month)

Happy Days! No Adobe Reader updates from Microsoft for May.

greglambert
Contributor

Greg Lambert is an evangelist for Application Readiness, the online assessment and application conversion specialists. Greg is a co-founder of ChangeBASE, and now CEO of Application Readiness, and has considerable experience with application packaging technology and its deployment.

The opinions expressed in this blog are those of Greg Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author