Americas

  • United States

Asia

greglambert
Contributor

For August, Patch Tuesday means patch now

opinion
Aug 16, 202410 mins
MicrosoftMicrosoft OfficeWindows Security

Microsoft’s monthly update for August includes fixes for six — yes, six — zero-day flaws affecting Windows and Office.

Microsoft update
Credit: Clint Patterson / Unsplash

Microsoft pushed out 90 updates this week in its August Patch Tuesday release, including fixes for five Windows zero-days (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107) and one zero-day affecting Office (CVE-2024-38189). 

Unfortunately, this means a “Patch Now” recommendation for both Windows and Microsoft Office this month. Microsoft offered several (pretty useful) mitigations and recommendations to reduce the impact of these security issues; our testing guidance reflects this, with a focus on the networking related features of Windows. 

Minor updates for the Microsoft development platforms can be added to your standard patch release schedule, while Microsoft did not release any patches for Microsoft SQL Server or Exchange Server. And Adobe Reader updates are back, though we assume this will be included in your Windows desktop Patch Now release cycle. 

The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates. (See our running list of recent Patch Tuesday updates here.)

Known issues 

Each month, Microsoft publishes a list of known issues affecting the operating system and platforms included in the latest update cycle, including these two reported minor issues:

  • After installing the Windows update released on or after July 9, 2024, Windows Servers might (intermittently) affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Microsoft is working on a resolution. 
  • There’s an issue where “players” on Arm devices are unable to download and play Roblox via the Microsoft Store on Windows. This might be a good time to “block out” (sorry, not sorry) some time to look at potential compatibility issues on ARM platforms. Don’t forget to try to change your account profile photo — oh, wait!

Major revisions 

This Patch Tuesday saw the following major revisions to past Microsoft security and feature updates, including:

  • CVE-2024-29187: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM. Microsoft released updates on Tuesday for Microsoft Visual Studio 2017 version 15.9, Microsoft Visual Studio 2019 version 16.11, and Microsoft Visual Studio 2022 to address this GitHub-related issue. 
  • CVE-2024-35058: BitLocker Security Feature Bypass Vulnerability. Microsoft has added a FAQ to explain that because of firmware incompatibility issues, BitLocker would go into recovery mode on some devices; the fix for CVE-2024-38058 has been disabled with the release of this month’s updates. Customers who want to be protected can apply the mitigations described in KB5025885.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle:

  • CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability. Microsoft recommended as part of their mitigation strategy that all corporate users no longer install the LPD utility. Given that this reported vulnerability has been publicly disclosed, the Readiness team highly recommends a scan of your environment to ensure that this service is not running (and preferably not installed).
  • CVE-2024-38159 and CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability. To reduce exposure to this vulnerability, Microsoft recommends that Hyper-V be disabled on the target machine. 
  • CVE-2024-38140: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability. Microsoft offers solid advice here. This vulnerability is only exploitable if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled, but no programs are actively listening, this vulnerability is not exploitable. 

Each month, the team at Readiness analyses the latest updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows and app  installations. We have grouped the critical updates and required testing efforts into separate product and functional areas, including:

Microsoft Office

Due to the changes to Microsoft Outlook and .NET components, we recommend a full test of sending/receiving mails with HTML content.

Microsoft .NET and developer tools

Microsoft updated both Microsoft .NET (Version 8) and Visual Studio 2022 with the following testing recommendations

Windows

With the release of the Windows updates, Microsoft put a real focus on securing Windows networking features with updates to core system files such as AFD.SYS; these will require the following testing:

  • Network packets: try using a web browser to download and upload large files from both internal and external websites. Multicast senders will require validation on packet returns.
  • Network sockets: check that bind, connect and listen functions work as expected. Close socket functions will require testing this month, as well.
  • Smartcards: full logon/logoff testing will be required.
  • Network Bridges: This update will require testing across two or more network adapters. Try creating a bridge using IPv6 packets.
  • Bluetooth: Sending files across two Bluetooth adapters will require testing.
  • DNS: Recursive DNS queries will require a basic test. Have a look for any SERVFAIL returns or time-outs. We also suggest trying NETSH to configure proxy settings. 
  • Remote Desktop: Test remote configurations on RRAS platforms while using copy/paste functions over a VPN.

In addition to these networking-focused changes, Microsoft updated core features in the Windows desktop and server platforms, including:

  • Windows Error logs: a complete CRUD test (create, read, update and delete) will be required for Windows log files.
  • Kerberos: Logon and certificate workflows will require validation.
  • Codec and camera updates will require a basic test of camera (both still and video) features.
  • Hyper-V: With only minor changes to the Microsoft Hyper-V platform, a basic VM startup and shut-down test is recommended.

Microsoft made a number of significant changes to the Windows file system (NTFS) with changes to both the NtQueryEaFile and NtSetEaFile APIs. Unfortunately, a significant testing cycle is required that should include large file CRUD file tests — and remember to include a query component. The Readiness team suggests that a PowerShell test be included to assist with “pacing” rapid changes to the Windows file system.

Given recent challenges with CrowdStrike and BitLocker, Microsoft published changes that will require testing of the Microsoft BitLocker recovery environment.

Windows lifecycle update (now including enforcements)

This section contains important changes to servicing, significant feature deprecations and security-related enforcements across the Windows desktop and server platforms.

  • Enforcements: Now that we are past the July 2024 deadline for the enforcement phase, the Windows certificate “Windows Production PCA 2011” will be automatically revoked.
  • Lifecycle: Both Windows 11 Enterprise, Versions 21H2 and 22H2, have an end of servicing date of Oct. 8.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge).
  • Microsoft Windows (both desktop and server).
  • Microsoft Office.
  • Microsoft Exchange Server.
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far).

Browsers

Microsoft released 11 updates to the Edge browser platform. These low-profile changes have been rated as either important or moderate, reflecting their lower security and deployment risks. We recommend following the stable channel release of Microsoft Edge, as there will be mid-cycle releases at the end of this month. Add these browser updates to your standard release schedule.

Windows

Microsoft has released six critical and 60 updates rated as important by Microsoft with five zero-day patches (as already noted, they are: CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, and CVE-2024-38107.

In addition to these updates, Microsoft released patches that affect the following Windows feature groups:

  • Windows DNS, broadband, routing, translation and multicast networking features.
  • Kernel mode and system drivers.
  • Line printer services (daemon).
  • Windows OLE.
  • Windows Kerberos.

Given the larger (and somewhat concerning) number of exploited and publicly disclosed vulnerabilities this month, we again recommend a “Patch Now” schedule for this update.

Microsoft Office 

Microsoft returns to form with one critical rated update to Copilot (CVE-2024-38206) and nine other updates to the Microsoft Office suite, all rated important. Unfortunately, one of the vulnerabilities (CVE-2024-38189) that affects the entire Office platform has been reported as exploited. Add Microsoft Office to the Patch Now release schedule.

Microsoft SQL (nee Exchange) Server 

Good news: no updates or patches for either SQL Server or Exchange Server. 

Microsoft development platforms 

Microsoft released four low-profile updates to the Microsoft .NET and Visual Studio 2022 platforms. We do not expect serious testing requirements for these lesser reported vulnerabilities. Add these updates to your standard developer release schedule.

Adobe Reader (and other third-party updates) 

Adobe Reader is back in the game with an important update, APSB24-57, which has addressed 12 memory and “use after free” (my favorite) security vulnerabilities; it can be added to your Windows update cycle.