June’s Patch Tuesday updates focus on Windows, Office

Microsoft released 73 updates to its Windows, Office, and Visual Studio platforms on Patch Tuesday, with many of them dealing with core, but not urgent, security vulnerabilities. That's a welcome respite from the previous six months of urgent zero-days and public disclosures. With that in mind, the Readiness testing team suggests a focus on printing and backup/recovery processes to make sure they're not affected by this update cycle.

For the first time, we see a (non-Adobe) third-party vendor added to a Patch Tuesday release, with three minor plugin updates to Visual Studio for AutoDesk. Expect to see more such vendors added to Microsoft's updates in the near future. The team at Readiness has created a useful infographic that outlines the risks associated with each of the updates.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms in the current update cycle.

• Devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update. We recommend that you download the new Microsoft Edge. It's time.
• After the installation of updates released Jan. 10, 2023 or later, kiosk device profiles that have auto-login enabled may not sign in correctly. Microsoft is working on the issue.
• After installing this or later updates, Windows devices with some third-party UI customization apps might not start up. These apps could cause errors with explorer.exe that might repeat multiple times in a loop. Microsoft is currently investigating; no planned resolution is available yet.
• After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Yep, this is for real. Both Microsoft and VMWare are working on the issue.

At present, we do not have any insights into an out-of-bounds or early update schedule from Microsoft for both the Server 20222/VMWare and the third-party UI issues. These issues are serious, so we expect a response from Microsoft soon.

Major revisions

The following common vulnerabilities and exposures (CVEs) were recently revised in the Microsoft Security Update Guide:

Mitigations and workarounds

Microsoft published these vulnerability related mitigations for this month's release:

• CVE-2023-32014, CVE-2023-32015, and CVE-2023-29363, Windows Pragmatic General Multicast (PGM): Microsoft advises  that you check to see whether there is a service running named Message Queuing and TCP port 1801 is listening on the machine. If this feature is not enabled, the target machine is not vulnerable.
• CVE-202332022: Windows Server Service Security Feature Bypass Vulnerability. Microsoft advises that only Active Directory (AD) clusters are affected.

Each month, the team at Readiness analyses the latest Patch Tuesday updates to develop detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of system-level changes included in this cycle, the testing scenarios are divided into standard and high-risk profiles.

High risk

Very much like the core security changes related to the waySQL queries are handled on desktop systems, Microsoft has made a fundamental update to how certain rendering APIs are handled with a new set of security restrictions. This is a key requirement to separate user mode and kernel printer driver requests. These are not new APIs or new features, but a hardening of existing API callback routines. This is a big change and will require a full printer testing regime, including:

• Test all your printers with your full production testing regime (sorry about this).
• Enable different advanced printer features (e.g., watermarking) and run printing tests.
• Test your printing over RDP and VPN connections.

Standard risk

The following changes included in this month's update are not seen as at high risk for  unexpected outcomes and do not include functional changes:

• Create, modify, delete folders and files in Group Policy preferences.
• Test voice typing (in Windows 11) or dictation (in Windows 10). Spoken text should render as expected.
• Install the Kerberos update on one of your test domain controllers. Once updated, Kerberos authentication should still be successful.
• Play an MPEG4 video or use Windows Explorer to open a directory containing an mpeg4 file. No exit code errors should be reported.
• Once the remote desktop update has been applied to target workstations; create a Remote Desktop connection between a client and server. Then repeat this process with an RD Gateway.
• Test your network/internet connection and internet connection using applications such as browsers, messaging (Teams/Slack), file transfer (FTP), and video streaming (but don't share your password).

Microsoft is now disallowing avoidlowmemory and truncatememory BCD options when Secureboot is on. In addition, Microsoft is blocking boot loaders that have not been updated with the May 2023 update.

Note: Your recovery options will be severely limited unless your recovery images have this vital May 2023 update applied as well. For this specific boot process change, the Readiness team recommends the following testing regime.

• The updated target machine should boot as expected with both Secure Boot and BitLocker enabled. You should not get a boot error or BitLocker recovery screen.
• The updated target machine should boot as expected and not hit BitLLocker recovery when BitLocker is enabled on an OS drive, but Secure Boot is off.

Do update your recovery media as soon your testing regime is complete.

All these (both standard and high-risk) testing scenarios will require significant app-level testing before general deployment. Given the nature of changes included in this month's patches, the Readiness team recommends the following tests before deployment:

• Install, update, and uninstall your core line of business applications.
• Check your printer drivers and validate their certificates.
• Test your backups and recovery media.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds. However, for line-of-business applications, getting the application owner (doing UAT) to test and approve the results is absolutely essential.

Windows lifecycle update

This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (we have a guest: AutoDesk).

Browsers

Microsoft released four low-priority updates for Edge with a further 14 patches released to the Chromium platform (on which Edge is built). We have not seen reports of public disclosures or exploits. That said, there are several outstanding security fixes that have not been fully addressed and published. So, we may see an update for the Chromium/Edge project later this month. Add these updates to your standard patch release schedule.

Windows

This month, Microsoft released four critical updates and 33 patches rated important to the Windows platform; they cover these key components: 

• Windows PGM.
• Windows Hyper-V.
• Windows TPM Device Drivers, Crypto and Kerberos.
• NTFS and SCSi components.
• Kernel and video codecs.

This is a moderate update for the Windows desktop and server platform and should be seen as a welcome break from the recent serious exploits (both publicly disclosed and exploited). As noted in May and included in this month's guidance, the focus should be on testing backup and recovery processes. Add this update to your “Patch Now” release schedule.

Microsoft Office

Microsoft delivers one critical update to its Office platform with a patch to SharePoint Enterprise server. The remaining 11 updates affect Microsoft Outlook, Excel, and OneNote. These are all relatively low-profile vulnerabilities that might affect Mac users more than Windows users. Add these Office updates to your standard release schedule.

Microsoft Exchange Server

Microsoft released two updates for Microsoft Exchange Server (CVE-2023-28310 and CVE-2023-32031) both rated important. These security vulnerabilities require internal authentication and have official/confirmed fixes from Microsoft. There have been no reports of exploits or public disclosures for either issue. Even though updating Exchange Server is a bit of a pain, you can add these two updates to your standard release schedule for this month.

Microsoft development platforms

June delivers a cornucopia of patches to the Microsoft development platform, with a single critical update to .NET, a healthy helping of 22 updates rated as important to Visual Studio, one (low rated) update to a Sysinternals tool, and a moderate (how unusual!) update to older non-supported versions of .NET. At first glance, our team thought this would be a big update with a large testing profile. After some examination, this is more of a “corporate hygiene” exercise for Microsoft with a clean-up of small patches to their core development tools.

Add these updates to your standard developer release schedule.

Adobe Reader (we have a guest: AutoDesk)

No updates from Adobe for Reader or Acrobat this month. But, as luck (or bad luck) would have it, we have another “A” to worry about. The introduction of Microsoft's support for external CNA's (CVE Numbering Authority) in January allowed for third-party applications to be included in Microsoft updates. Microsoft has previously only included Adobe. This month changes all that, with the introduction of three CVE's for AutoDesk.

These three reported vulnerabilities (CVE-2023-27911, CVE-2023-27910 and CVE-2023-27909), though developed by Autodesk, are actually plugins for (an older, non-supported) version of Microsoft Visual Studio. That's why these three issues have been included in this month's Patch Tuesday release. Add these updates to your standard “third-party” update release schedule. If you didn't have one before, now you do.

Happy Patching.