Critical updates for Microsoft Office and Visual Studio drive September's Patch Tuesday
Microsoft released 59 updates in its September Patch Tuesday release, with critical patches for Microsoft Office and Visual Studio, and continued the trend of including non-Microsoft applications in its update cycle. (Notepad++ is a notable addition, with Autodesk returning with a revised bulletin.) We've made "Patch Now" recommendations for Microsoft development platforms (Visual Studio) and Microsoft Word.
Unfortunately, updates for Microsoft Exchange Server have also returned, requiring server reboots this time, too.
The team at Readiness has created this infographic outlining the risks associated with each of the September updates.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle:
Microsoft published the following major revisions this month:
And it looks as if Microsoft "missed" a CVE last month — CVE-2023-36769 for OneNote, which has now been updated and included in this month's updates.
Microsoft published the following vulnerability related mitigations for this release cycle:
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on Windows and on application installations.
Given the large number of system-level changes in this patch cycle, I have broken down the testing scenarios into standard and high-risk profiles.
Microsoft made a major announcement this month about a significant change to how third-party printer drivers are handled,
"With the release of Windows 10 21H2, Windows offers inbox support for Mopria compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver. This removes the need for print device manufacturers to provide their own installers, drivers, utilities."
With this announcement, Microsoft also published an end to servicing legacy (V3 and V4) Windows printer drivers and offers the following support timeline.
The assumption here is that all Windows printing providers will subscribe to the Mopria (an association of printer and scanner manufacturers that produce universal standards and solutions for scan and print) standard. This makes sense and will hopefully reduce the attack surface of printer drivers that have caused so much trouble over the years.
Due to this change in printer handling, the following tests are suggested:
The following changes have not been raised as high risk (of unexpected outcomes) and do not include functional changes.
There has been a major update to the Windows networking stack, too. This includes changes to how DHCP handles failover relationships. Testing should include the following:
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for your line of business applications, getting the application owner (doing UAT) to test and approve the results is still absolutely essential.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft did not release any updates for its browsers this month. As a sign of the times, Google Chrome has now “sunsetted” (deprecated in Microsoft terms) support for Windows 7/8/8.1 and Window Server 2012. For Google Chrome Enterprise users, there is now a handy release summary. My feeling is that we will be adding Google Chrome to the third-party update section found at the bottom of this report in the future.
Microsoft released a single critical update for the Windows platforms in this patch cycle (CVE-2023-38148). In addition, 20 patches rated important by Microsoft were released, covering the following Windows functional areas:
Though it is a relatively lightweight set of patches for Windows, we highly recommend a network stack test before general deployment. Add these Windows updates to your standard release schedule.
For September, Microsoft did not release any critical updates to the Office platform. Instead, we see seven updates rated important and an additional single update rated moderate (CVE-2023-41764). Unfortunately, this month's zero-day vulnerability includes Microsoft Word (CVE-2023-36761) which has been publicly disclosed and reported as exploited in the wild. Add these Office updates (really just Word) to your "Patch Now" schedule.
Microsoft released five updates for Microsoft Exchange Server, all rated important by Microsoft. Combining both network and adjacent attack vectors, these vulnerabilities could lead to ID spoofing and remote code execution. There have not been any reports of exploits in the wild, nor public disclosures, so please add these to your standard release schedule. Note: this month's patch cycle will require a reboot of your Exchange Server.
This is a big month for updating the developer platforms. Microsoft released three critical rated patches (CVE-2023-36796, CVE-2023-36793 and CVE-2023-36792) that could lead to serious remote code execution scenarios with the simple click of a single malicious file. Once these critical issues are added to the 12 additional patches to Visual Studio and .NET, we must make an unusual "Patch Now" recommendation for these.
Following the growing trend of managing third-party application updates, I will now include key applications that require updating each month. This used to focus on Adobe Reader, but for September now includes:
We expect more third-party applications to be included in the monthly update process in the future. Monthly patches, monthly application packaging and patching will become the new normal. Having a robust repackaging, testing and deployment process for your entire application portfolio will fast become a top priority.