This month's Patch Tuesday release included 49 updates, but no major zero-day flaws. Credit: Shutterstock Microsoft this week released 49 updates (including two recent additions) on Patch Tuesday with no reported zero-day flaws, public disclosures, or newly released working exploits for the Microsoft ecosystem. This came as welcome news and is paired with low-risk changes to Microsoft Office. The company’s development platforms saw minor updates to Visual Studio, and both SQL Server and Microsoft Exchange were patch free for the month. The team at Readiness has provided a useful infographic outlining the risks associated with each of the updates. Known issues Each month, Microsoft publishes a list of known issues that are part of the latest update cycle, including the following reported minor issues: After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is still working on this one. In the meantime there is a workaround that involves setting the Cache Hostname to 1. We recognize and respect Microsoft’s recent efforts with artificial intelligence (note, I did not say “AI” as that is an Apple thing now) but it would be nice if Microsoft resolved the profile picture (that you can’t change) known issue soon. Major revisions Microsoft published the following major revisions to past security and feature updates including: CVE-2024-30080: (see below for mitigations). This patch was updated late in the June release cycle. As this was an information update, no further action is required, unless you want to action the Microsoft recommended mitigations. Mitigations and workarounds Microsoft published the following vulnerability-related mitigations: CVE-2024-30070: DHCP Server Service Denial of Service Vulnerability. Microsoft (helpfully) notes that if you’re not using DHCP, you are not affected by this potential vector for DDOS attacks. CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Message Queuing security issues are tough to find, mitigate and test, so this might need some careful attention from your internal developers. At the very least, ensure that you have changed your ports from the MSMQ listening default (1801) to help reduce your attack surface. Microsoft also recommends you check to see whether the MSMQ HTTP-Support feature is enabled. The team at Readiness analyzed the latest Patch Tuesday updates to provide detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact. For this cycle, we have grouped the critical updates and required testing efforts into different functional areas including: Microsoft Office Microsoft SharePoint will require basic document opening and multi-user access tests this month. Microsoft .NET and Developer Tools There are no updates to Microsoft .NET requiring application portfolio testing this month. Windows The following core Microsoft features have been updated: Changes to Secure Boot will require testing of all third-party drivers. Code integrity policies need to be verified for Windows Lockdown (WLDP), Windows Defender Application Guard (WDAG) and the Windows Driver Policy for Intune deployments. We recommend you test your Windows desktop sandbox and ensure that it boots correctly. Changes to Windows networking will require testing at least two DHCP servers. Remote desktop-related updates will require VPN connection tests. Try some administrative commands from the Microsoft Management console (MMC) such as adding, connecting and disconnecting VPN connections. This month’s update also affects several core systems such as Kernel32 and Win32K.SYS sub-systems. Unfortunately, these changes affect how applications behave at a fundamental level, which makes testing not just hard, but broad and expansive across your application portfolio. The Readiness team suggests that the following general application tests be performed against all of your core line-of-business applications. Test as many windows and pop-ups as possible. Check window title bars for errors, or poorly formatted text. Check for unusual items in the Windows taskbar. Thoroughly test File explorer (sorry about that). Test multiple applications, with multiple windows. Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line-of-business apps, getting the application owner (doing UAT) to test and approve the results is essential. Windows lifecycle update This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms. Windows 10 Enterprise and Education, Version 21H2 will no longer be serviced as of June 11, 2024 For those planning ahead, Oct. 8, 2024, is a big day as Microsoft will no longer offer general servicing for the following desktop platforms: Windows 11 Enterprise and Education, Version 21H2 Windows 11 Home and Pro, Version 22H2 Windows 11 IoT Enterprise, Version 21H2 Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange Server Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core) Adobe (if you get this far) Browsers Microsoft has released seven minor updates to the Chromium-based browser (Edge), while the Chromium project has added six additional updates this week. These updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule. Windows This month, Microsoft released one critical update (CVE-2024-30080) and 32 patches rated as important for Windows, covering the following key components: Windows Win32 Kernel Subsystem, GRFX and drivers Networking (Wii-fi) and DHCP Storage and Error Reporting Crypto and BitLocker The critical-rated patch relates to the core, but not often used, Message Queuing service (MSMQ) that could affect internal applications. Unusually, this patch has already been updated since the main release on Tuesday. That said, the Readiness team believes all these Windows patches can be added to your standard release schedule. Microsoft Office There were no critical updates for Office this month, and only five patches rated as important. All five have low potential for exploitability (no worms, add-in vulnerabilities or Word macro issues) and should be added to your regular Microsoft Office update schedule. Microsoft Exchange Server No updates for Microsoft Exchange Server or SQL Server this month, which, of course, is a good thing. Microsoft development platforms Microsoft released just three updates to Microsoft Visual Studio. These patches affect versions of the Microsoft developer platform from 2017 to 2022. All of the proposed changes are low risk and application specific. Add these updates to your standard developer release schedule. Adobe Reader (if you get this far) We are back to the usual state of things, and Microsoft has not chosen to include any Adobe products this release cycle. This is a very good thing. Read Greg Lambert‘s 2024 Patch Tuesday reports: July June May April March February January Related content feature Microsoft's Patch Tuesday updates: Keeping up with the latest fixes Here's a look at the most recent Patch Tuesday release from Microsoft as well as a collection of recent updates so you can track what's changed. By Dan Muse Aug 16, 2024 5 mins Microsoft Microsoft Office Windows 10 opinion For August, Patch Tuesday means patch now Microsoft’s monthly update for August includes fixes for six — yes, six — zero-day flaws affecting Windows and Office. By Greg Lambert Aug 16, 2024 10 mins Microsoft Microsoft Office Windows Security opinion Germany’s BSI guns for better tech security Microsoft will need to become secure by design, but if you can't wait there's an alternative. By Jonny Evans Aug 16, 2024 5 mins Apple Windows Security feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 27686 for the Canary Channel, released on Aug. 15, 2024. By Preston Gralla Aug 16, 2024 285 mins Small and Medium Business Microsoft Windows 11 Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe