Four zero-days make July ‘s Patch Tuesday a ‘patch now’ update

With this month's Patch Tuesday update, Microsoft addressed 130 security vulnerabilities, published two advisories, and included four major CVE revisions. We also have four zero-days to manage for Windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Windows platform into a “patch now” schedule.

It should be easier to focus on Microsoft Office and Windows testing this month, as we do not have any Adobe, Exchange, or browser updates. Be sure to carefully review Microsoft's Storm 0978 as it provides specific, actionable guidance on managing the serious HTML vulnerability in Microsoft Office (CVE-2022-38023).

The Readiness team has crafted this helpful infographic to outline the risks associated with each of the updates.

Known issues

Microsoft each month lists known issues that relate to the operating system and platforms included in the latest update cycle.

• After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected. Microsoft and VMware are investigating the problem and will offer more information when it's available.

• Using provisioning packages on Windows 11, version 22H2 might not work as expected. Windows might only be partially configured, and the out-of-box experience might not finish or might restart unexpectedly.

Major revisions

Microsoft has published two major revisions:

•  CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability (4th update). This updates removes the ability to set value 1 for the KrbtgtFullPacSignature subkey, and enable the Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit setting. No further action is required if you apply this month's update.
• CVE-2022-38023: Netlogon RPC Elevation of Privilege Vulnerability. The (previous) April 2023 updates remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this release:

• CVE-2023-32038: Microsoft ODBC Driver Remote Code Execution Vulnerability. Microsoft recommends that if you only connect to known, trusted servers — and if there is no ability to reconfigure existing connections to point to another location — this vulnerability cannot be exploited.
• CVE-2023-36884: Office and Windows HTML Remote Code Execution Vulnerability (one of the zero-day exploits this cycle). Microsoft notes that if you are using Microsoft Defender you're protected. For more cynical/jaded/experienced professionals, we recommend that you (carefully) read the Threat Intelligence post (Storm-0978).
• CVE-2023-35367, CVE-2023-35366 and CVE-2023-35365: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. If you are not using (and have not installed) Microsoft's Routing and Remote Access Services (RRAS), you are not vulnerable to this exploit.

Testing guidance 

Each month, the Readiness team provides detailed, actionable testing guidance for the latest updates. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

If you have employed internal web or application servers, it will be worth testing the HTTP3 protocol — especially using Microsoft Edge. In addition to this protocol handling update, Microsoft made a significant number of changes and updates to the networking stack requiring the following testing:

• Test your RRAS router with UDP, pingback and traceroute commands while adding and deleting routing table entries.
• Ensure that your domain servers behave as expected with full enforcement mode enabled.

Given the large number of system-level changes this month, I have divided the testing scenarios into standard and high-risk profiles.

High risk

Given that this update includes fixes for four (some say five) zero-day flaws, we have two main drivers of change this month: key functionality changes in core systems and an urgent need to deliver updates. Microsoft has documented that two core areas have been updated with significant functionality changes, including printing and the local network stack (with a focus on routing). As a result, the following testing should be included before general deployment:

• Printing: check your local printers, as key driver handling has been updated.
• Ensure that your DNS server zones are still functioning as expected after this update

Standard risk

The following changes have been included this month and have not been raised as either high risk (with unexpected outcomes) and do not include functional changes. 

• Windows Hello will need testing to include Active Directory (as well as Azure AD) Single-Sign-on (SSO).
• Test your remote desktop (RDP) connections with and without Microsoft's RD Gateway and ensure you see the correct level of certificate warnings (or not, if already ignored).
• (For IT admins) Test your Windows Error logs (focus on service hangs) with a Create/Read/Update/Delete/Extend (CRUDE) test.
• Test your encryption and crypto configuration scenarios. Especially Kerberos on your domain controllers and key isolation.
• Test your backups. You don't have to worry about your recovery media this time.

All these testing scenarios will require significant application-level testing before a general deployment. Given the changes included in this month's patches, the Readiness team recommends that the followings tests be performed before general deployment:

• Install, update, and uninstall your core line of business applications.
• Check your (local) printer drivers.
• Validate your VBScripts and UI automation tools (as OLE was updated this month, see CComClassFactorySingleton).
• Test audio/video streaming and then Microsoft Teams (due to its uploads/downloads and message queuing requirements).

This month may be a little tough to test your Microsoft Office automation/scripts and integration with third-party applications due to the change in OLE and how Microsoft has addressed CVE-2023-36884. We recommend a full test of Excel macros (if they use OLE/COM/DCOM) and any VBS scripts that include Word.

Windows lifecycle update

Here are the important changes to servicing (and most security updates) to Windows desktop and server platforms.

• Windows 11, version 21H2, will reach end of servicing on Oct. 10, 2023. This applies to the following editions released in October 2021: Windows 11 Home, Pro, Education, Pro for Workstations.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
• And Adobe (retired???, maybe next year).

Browsers

Hard to believe, but there are no browser updates in this update cycle. And we don't see anything coming down the pipeline for a mid-cycle release either. This is a big change and a huge improvement from the days of large, complex, and urgent browser updates. Go Microsoft!

Windows

Microsoft released eight critical updates and 95 patches rated as important to the Windows platform, covering these key components:

As mentioned in the Microsoft Office section above, we feel the focus this month should be on the immediate resolution of CVE-2023-36884. Though rated as important by Microsoft (sorry to be contrarian), we feel that since it has been both publicly disclosed and exploited it should be treated as urgent. Coupled with the other Windows zero-day (CVE-2023-32046) this brings the entire Windows update group into the “Patch Now” schedule for our clients. Once the screaming stops, you can take some time to check out the Windows 11 release video; we find it calming.

Microsoft Office

We need to talk about Microsoft Office. Though there are two critical rated updates for SharePoint (CVE-2023-33157 and CVE-2023-33160) and 14 updates rated important by Microsoft, the elephant in the room is CVE-2023-36884 (Office and HTML RCE Vulnerability). This vulnerability has been both publicly disclosed and documented as exploited. Officially, this update belongs in the Windows group, but we believe that the true impact lies in how Microsoft Office deals with HTML data (transmit/store/compute). CVE-2023-36884 directly affects Office and your testing regime should reflect this.

Add these Office updates to your standard release schedule, noting that your Office patch testing regime will need to be paired with your Windows update release schedule.

Microsoft Exchange Server

Much to all our good fortune, there are no updates for Microsoft Exchange Server this month.

Microsoft development platforms

Compared to the very serious (and numerous) exploits in Office and Windows this month, there are only five updates affecting Visual Studio, ASP.NET and a minor component of Mono (the cross platform C# implementation). All these patches are rated important by Microsoft and should be added to your standard developer release schedule.

Adobe Reader (still here, just not this month)

More good news: there are no updates from Adobe or other third-party vendors in this update.