Patch Office and Windows now to resolve two zero-days

Microsoft has fixed 80 new CVEs this month in addition to four previous CVEs, bringing the number of vulnerabilities addressed in this month’s Patch Tuesday release to 84.

Unfortunately, we have two zero-day errors in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a “Patch Now” release requirement for both Windows and Microsoft Office updates. Like last month, there were no further updates to Microsoft Exchange Server or Adobe Reader. This month the team of Application readiness has useful information informative describing the risks associated with each of the updates for this cycle.

Known issues

Each month, Microsoft adds a list of known issues related to the operating system and platforms that are part of the update cycle.

• KB5022842: After installing KB5022842 on Windows Server 2022 with Secure Boot enabled and rebooting twice, the VMware VM failed to boot with the new bootmgr. This issue is still being investigated by Microsoft. After installing this update, WPF apps may behave differently.
• After installing this month’s Windows Update on Guest Virtual Machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 may not start.

Microsoft is still working on a network performance issue with Windows 11 22H2. Large (multi-gigabyte) network file transfers (and possibly similar large local transfers) are affected. This issue should primarily affect IT administrators.

Major revisions

Microsoft released four major revisions this month that cover:

• VE-2023-2156: Microsoft SQL Server Integration Service (VS Extension) Remote Code Execution Vulnerability.
• CVE-2022-41099: Title: BitLocker Security Feature Circumvent Vulnerability.
• CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability.
• CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability.

All of these revisions were the result of documentation and extensive software updates. No further action is required.

Limitations and Workarounds

Microsoft has published the following security mitigations for this month’s release:

• CVE-2023-23392: HTTP Protocol Stack Remote Code Execution Vulnerability. A requirement for a Windows 2022 server to be vulnerable to this vulnerability is that the network binding has HTTP/3 enabled and that the server uses buffered I/O. Enabling HTTP/3 is discussed here: Enable HTTP/3 support on Windows Server 2022.
• CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Microsoft has published two fixes for this serious security issue:

1. Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism.
2. Block outgoing TCP 445/SMB from your network using a perimeter firewall, a local firewall, and through your VPN settings.

Test guidance

Each month, the Readiness team analyzes Patch Tuesday updates and provides detailed, actionable testing guidance; that guidance is based on the assessment of a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of changes made this month, I’ve broken down the test scenarios into risk groups and standard risk groups.

High risk

Microsoft published several risky changes in the March update. While they may not lead to functionality changes, the test profile must be mandatory for each update:

• Microsoft has updated how DCCOM responds to external requests as part of the recent hardening effort. This process has been going on since June 2021 (Phase 1), with an update in June 2022 (Phase 2) and now this month all changes are mandatory. DCOM is a core part of Windows used for communication between services or processes. Microsoft has indicated that this (and full implementation of previous recommendations) will cause application-level compatibility issues. The company has offered some support what is changing And how to fix any compatibility issues as a result of these recent mandatory settings.
• A major change to the Win32kfull.sys core system file has been included this month as two features (DrvPlgBlt And nf-wingdi-plgbt) have been updated. Microsoft has communicated that there are no functional changes to these features. Testing applications that rely on these features is essential before fully deploying this month’s updates.

These scenarios require extensive application-level testing before being widely deployed.

• Bluetooth: Try adding and removing new Bluetooth devices. It is highly recommended to load Bluetooth network devices.
• Windows Networking Stack (TCPIP.SYS): Simple web browsing, “normal” file transfers, and video streaming should be enough to test the changes in the Windows Networking Stack.
• Hyper-V: Try testing both Gen1 and Gen2 virtual machines (VMs). Both types of machines should successfully start, stop, shut down, pause, and resume.

In addition to these changes, Microsoft has updated a key memory feature (D3DKMTCCreate DCFromMemory) that affects two major system-level Windows drivers (win32kbase.sys and win32kfull.sys). Unfortunately, some users have generated in previous updates of these drivers BSOD SYSTEM_SERVICE_EXCEPTION errors. Microsoft posted information on dealing with these problems. Hopefully, you won’t have to deal with this kind of problem this month.

Windows lifecycle update

This section contains major maintenance changes (and most security updates) for Windows desktop and server platforms in the coming months:

• Windows 10 Enterprise (and Education), version 20H2 and Windows 10 IoT Enterprise and Windows version 20H2 will reach an end of service date on May 9, 2023.

Each month, we break the update cycle into product families (as defined by Microsoft) with the following basic groups:

• Browsers (Microsoft IE and Edge).
• Microsoft Windows (both desktop and server).
• Microsoft Office.
• Microsoft Exchange server.
• Microsoft development platforms (ASP.NET Core, .NET Core, and Chakra Core).
• Adobe (retired???, maybe next year).

browsers

There were 22 updates for March (none rated critical), with 21 included in the Google release channel and one (CVE-2023-24892) from Microsoft. All of these updates are easy to deploy updates with marginal to low deployment risk. You can find the Microsoft version of these release notes here and the Release notes for the Google Desktop channel here. Add these updates to your standard patch release schedule.

Windows

Microsoft has released 10 critical updates and 48 patches rated as important for the Windows platform, covering the following major components:

• Postscript drivers for Microsoft printers.
• Windows Bluetooth service.
• Windows Win32K and Core Graphics Components (GDI).
• Windows HTTP protocol stack and PPPoE.

Apart from the recent change in DCOM authentication (see DCOM hardening) most of this month’s updates have a very low risk profile. We have a minor print subsystem update (Postscript 6) and other tweaks to network processing, storage, and graphics components. Unfortunately, we have a true zero-day problem with Windows (CVE-2023-24880) Smart Screen (aka Windows Defender) with reports of both exploitation and public disclosure. So please add these Windows updates to your “Patch Now” release schedule.

Microsoft Office

Microsoft has released 11 updates to the Microsoft Office platform, one of which is rated Critical or Super Critical, and the remaining updates are rated Important and only affect Excel and SharePoint. Unfortunately, the Microsoft Outlook update (CVE-2023-23397) should be patched immediately. I’ve included recommendations from Microsoft in our mitigation section above, including adding users to a higher security group and blocking ports 445/SMB on your network. Given the low risk of breaking other apps and the ease of deployment of this patch, I have another idea: add these Office updates to your “Patch Now” release schedule.

Microsoft Exchange server

No Microsoft Exchange updates are required this month. That said, there is a particularly concerning problem with Microsoft Outlook (CVE-2023-23397) that will be enough for any email admin to handle this month.

Microsoft development platforms

This is a very light patch cycle for Microsoft development platforms with only four updates to Visual Studio (GitHub extensions) this month. All of these updates are rated as important by Microsoft and have a very low deployment risk profile. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but just not this month)

We may be seeing a trend here, as Adobe hasn’t released any updates to Adobe Reader. It’s also interesting that this is the first in nine months that Microsoft hasn’t released critical updates to its XPS, PDF, or printing system. So no mandatory printer test is required.