Critical zero-day flaws in Windows, Office mean it's time to patch
We are now in the third decade of Microsoft's monthly Patch Tuesday releases, which deliver fewer critical updates to browsers and Windows platforms — and much more reliable updates to Microsoft Office — than in the early days of patching. But this month, the company rolled out 63 updates (including fixes for three zero-days in Windows and Office).
Updates to Microsoft Exchange and Visual Studio can be included in standard patch release cycles, while Adobe needs to be included in your "Patch Now" releases for third-party applications.
The team at Readiness has provided a detailed infographic that outlines the risks associated with each of the updates for November.
Microsoft publishes a list of known issues that relate to the operating system and platforms are included in each update. This month, that list includes:
If you're lucky enough to receive access to Microsoft's Windows AI Copilot this month, you might experience a display issue with your desktop icons unexpectedly moving from one display to another — and then moving back to the original display. Don't worry, there is no ghost in the machine. Oh, wait....
At this point, Microsoft has published three major revisions that require attention for this cycle, including:
All of these revisions were for informational purposes only, and do not require additional action.
Microsoft published the following vulnerability-related mitigations for this Patch Tuesday release:
Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Microsoft has made a major update to a minor file system management feature this month, with changes to how Storage Sense updates and removes old and temporary files. There is an excellent video explainer, and as Microsoft explains: "(Storage Sense) will run when your device is low on disk space and will clean up unnecessary temporary files. Content from the Recycle Bin will be deleted by default after some time, but items in your Downloads folder and OneDrive (or any other cloud provider) will not be touched unless you set up Storage Sense to do so.
Our testing process raises a few concerns when the Windows file system has been updated, so we have included a few additional steps to validate this month's changes:
The following changes in this month's update are not seen as high risk (for unexpected outcomes) and do not include functional changes:
There has also been a major update to how Windows handles file compression. Following last month’s WinRAR security issues, Microsoft now supports archive formats that include tar, .7zip,. rar,.tar.gz. Readiness strongly suggests removing (a full, validated uninstall) WinRAR and other third-party compression utilities.
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for your line of business apps, getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.
This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.
You can read more about the recent changes at the Lifecycle update page.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has adopted the Chromium release schedule and no longer specifically publishes updates on Patch Tuesday. That said, 14 updates to the Chromium project Edge browser were released this month (none critical, and no zero-days for Microsoft or Chromium). For more information on Microsoft Edge security updates refer to the weekly updated Microsoft support page. Add these updates to your standard patch release schedule.
Microsoft released two critical updates and 30 patches rated important to the Windows platform that cover the following key components:
The real concern this month are the two publicly reported (and exploited) vulnerabilities:
Here is this month's Windows 11 release video. Otherwise, add this update to your "Patch Now" release schedule.
Microsoft published five low-profile updates rated as important. That said, CVE-2023-36413 (a publicly reported security bypass vulnerability) is a distinctly dangerous security issue that only affects recent versions of Microsoft Office (Office 365 and Office 2019/2021) and will require immediate attention. If you are using older versions of Office, add these updates to your standard release schedule. If you are up to date, then add these Office updates to your "Patch Now" timeline. And, yes — we think that this should be the other way around as well.
Microsoft released four updates to the now-venerable Exchange Server (we wanted to say “vulnerable”) this month. Though these updates may be a pain for Exchange administrators (no special instructions, but a reboot will be required), but these are fully confirmed fixes for difficult to exploit, non-"wormable" issues. All four issues (CVE-2023-36439, CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035) require full administrator access and as of now have not been reported as exploited or publicly reported. Add these low-profile updates to your standard server release schedule.
Microsoft released six updates, all rated important, that affect Visual Studio and .NET/ASP.NET. All currently supported versions of both product groups are affected. These issues could lead to elevation-of-privilege and spoofing attacks. With no critical-rated or remote code execution scenarios to manage, add these developer updates to your standard developer release schedule.
We're starting to get the hang of Adobe's release schedule with this month's anticipated year-end update to their core products — including Adobe Reader — with the release of APSB23-02. This is a critical-rated update for Reader and will require immediate attention. Given the recent changes to Microsoft's enthusiasm for third-party tools , you have to wonder how long Adobe Reader has before Microsoft decides enough is enough.