Americas

  • United States

Asia

greglambert
Contributor

Critical zero-day flaws in Windows, Office mean it’s time to patch

opinion
Nov 17, 20238 mins
MicrosoftMicrosoft OfficeSmall and Medium Business

Microsoft's Patch Tuesday release for November delivers 63 updates, with three zero-day flaws affecting Windows and Office. That makes quick patching a must.

Microsoft Notfall-Update

We are now in the third decade of Microsoft’s monthly Patch Tuesday releases, which deliver fewer critical updates to browsers and Windows platforms — and much more reliable updates to Microsoft Office — than in the early days of patching. But this month, the company rolled out 63 updates (including fixes for three zero-days in Windows and Office).

Updates to Microsoft Exchange and Visual Studio can be included in standard patch release cycles, while Adobe needs to be included in your “Patch Now” releases for third-party applications. 

The team at Readiness has provided a detailed infographic that outlines the risks associated with each of the updates for November.

Known issues

Microsoft publishes a list of known issues that relate to the operating system and platforms are included in each update. This month, that list includes:

  • File Explorer will crash after KB5031354 is uninstalled on Win11 22H2 platforms. Still Active.
  • Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error. As of now, Microsoft is still working on a resolution.
  • In Skype for Business 2019 and 2015, the Debug-CsIntraPoolReplication cmdlet fails if you use the ConnectionUri parameter during a remote PowerShell session created by using an OcsPowerShell endpoint.

If you’re lucky enough to receive access to Microsoft’s Windows AI Copilot this month, you might experience a display issue with your desktop icons unexpectedly moving from one display to another — and then moving back to the original display. Don’t worry, there is no ghost in the machine. Oh, wait….

Major revisions

At this point, Microsoft has published three major revisions that require attention for this cycle, including:

  • CVE-2023-36008: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
  • CVE-2023-36026: Microsoft Edge (Chromium-based) Spoofing Vulnerability
  • CVE-2023-6112: Chromium: CVE-2023-6112 Use after free in Navigation

All of these revisions were for informational purposes only, and do not require additional action.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this Patch Tuesday release:

  • CVE-2023-38151: Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability. Microsoft has advised that the target system must have installed Microsoft OLE DB Provider for DB2 Server Version 7.0 to be vulnerable.
  • CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. The Windows message queuing service, which is a Windows component, must be enabled for a system to be exploitable by this vulnerability. This feature can be verified via the Windows Control Panel.
  • CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability. PEAP)is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP. If you are not running this service, your systems are not vulnerable to this issue.

Testing guidance

Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Microsoft has made a major update to a minor file system management feature this month, with changes to how Storage Sense updates and removes old and temporary files. There is an excellent video explainer, and as Microsoft explains: “(Storage Sense) will run when your device is low on disk space and will clean up unnecessary temporary files. Content from the Recycle Bin will be deleted by default after some time, but items in your Downloads folder and OneDrive (or any other cloud provider) will not be touched unless you set up Storage Sense to do so.

Our testing process raises a few concerns when the Windows file system has been updated, so we have included a few additional steps to validate this month’s changes:

  1. Run Storage Sense (this may be your first time).
  2. Delete all temporary files in the following path c:users, %SYSTEM_PATHS% including nested folders.
  3. Confirm that only old files (older than the date set in your Storage Sense settings) are deleted.
  4. Confirm that file memory.dmp (older than your set threshold) deletes correctly.

The following changes in this month’s update are not seen as high risk (for unexpected outcomes) and do not include functional changes:

  • Microsoft DHCP services have been updated. Test your multi-server failover operations by sending a “failover” message to another running server.
  • VPN Update: connect to your enterprise VPN multiple times, with mid-session disconnects. Include basic internet browsing, large file uploads/downloads and video streaming.
  • Your VHD creation process will need a quick test — mount/unmount a VHD file with a CRUD test (Create/Read/Update/Delete).
  • BitLocker has been updated. Turn on BitLocker and reboot. Confirm that the reboot sequence has not been affected by this update.

There has also been a major update to how Windows handles file compression. Following last month’s WinRAR security issues, Microsoft now supports archive formats that include tar, .7zip,. rar,.tar.gz. Readiness strongly suggests removing (a full, validated uninstall) WinRAR and other third-party compression utilities.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line of business apps, getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.

Windows lifecycle update

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • ESU Year 1 for Windows Server 2012 and Windows Server 2012 R2 started on Oct. 11, 2023. Note: All Security Only and Monthly Rollup packages are now in ESU and require an ESU license.
  • From now on, Security Only packages will no longer be published for Windows Server 2012 and Windows Server 2012 R2. This is to simplify publishing of ESU packages, align to the cumulative servicing model, and avoid fragmentation problems. 

You can read more about the recent changes at the Lifecycle update page.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge).
  • Microsoft Windows (both desktop and server).
  • Microsoft Office.
  • Microsoft Exchange Server.
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core).
  • Adobe (retired???, maybe next year).

Browsers

Microsoft has adopted the Chromium release schedule and no longer specifically publishes updates on Patch Tuesday. That said, 14 updates to the Chromium project Edge browser were released this month (none critical, and no zero-days for Microsoft or Chromium). For more information on Microsoft Edge security updates refer to the weekly updated Microsoft support page. Add these updates to your standard patch release schedule.

Windows

Microsoft released two critical updates and 30 patches rated important to the Windows platform that cover the following key components:

  • Windows Hyper-V.
  • Windows Internet Connection Sharing (ICS).
  • Microsoft Bluetooth Driver.
  • Windows Scripting.
  • Windows Kernel.
  • Windows Compressed Folder (see our notes on file compression for context).

The real concern this month are the two publicly reported (and exploited) vulnerabilities:

  • CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability. This is a real zero-day that requires immediate attention. In the words of the Microsoft security team, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
  • CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This is not as bad as 36033, but a successful attack (of which there are many reports) will lead to complete system access on the compromised system. So, yeah. Not good.

Here is this month’s Windows 11 release video. Otherwise, add this update to your “Patch Now” release schedule.

Microsoft Office

Microsoft published five low-profile updates rated as important. That said, CVE-2023-36413 (a publicly reported security bypass vulnerability) is a distinctly dangerous security issue that only affects recent versions of Microsoft Office (Office 365 and Office 2019/2021) and will require immediate attention. If you are using older versions of Office, add these updates to your standard release schedule. If you are up to date, then add these Office updates to your “Patch Now” timeline. And, yes — we think that this should be the other way around as well.

Microsoft Exchange Server

Microsoft released four updates to the now-venerable Exchange Server (we wanted to say “vulnerable”) this month. Though these updates may be a pain for Exchange administrators (no special instructions, but a reboot will be required), but these are fully confirmed fixes for difficult to exploit, non-“wormable” issues. All four issues (CVE-2023-36439, CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035) require full administrator access and as of now have not been reported as exploited or publicly reported. Add these low-profile updates to your standard server release schedule.

Microsoft development platforms

Microsoft released six updates, all rated important, that affect Visual Studio and .NET/ASP.NET. All currently supported versions of both product groups are affected. These issues could lead to elevation-of-privilege and spoofing attacks. With no critical-rated or remote code execution scenarios to manage, add these developer updates to your standard developer release schedule.

Adobe Reader (still here, but not this month)

We’re starting to get the hang of Adobe’s release schedule with this month’s anticipated year-end update to their core products — including Adobe Reader — with the release of APSB23-02. This is a critical-rated update for Reader and will require immediate attention. Given the recent changes to Microsoft’s enthusiasm for third-party tools , you have to wonder how long Adobe Reader has before Microsoft decides enough is enough.