Patch Tuesday: Microsoft rolls out 90 updates for Windows, Office
With its August Patch Tuesday release, Microsoft pushed out 90 updates for the Windows and Office platforms. The latest fixes include another update for Microsoft Exchange (along with with a warning about failed updates to Exchange Server 2016 and 2019) and a "Patch Now" recommendation from us for Office.
The team at Application Readiness has crafted this useful infographic outlining the risks associated with each of the updates for this month.
Each month, Microsoft includes a list of known issues affecting the latest update cycle. For August, they include:
Unfortunately for those still using Windows Server 2008 ESU, this month's update might fail completely with the message, "Failure to configure Windows updates. Reverting Changes. Do not turn off your computer." Microsoft offers some advice on ESU updates, but you might find you have to wait a little while before you're able to successfully update legacy Exchange servers. Sorry about that.
Microsoft has published these major revisions covering:
Microsoft published the following vulnerability-related mitigations for this release cycle:
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.
Given the significant number of changes included this month, I've broken down the testing scenarios into high-risk and standard-risk groups:
As all the high-risk changes affect the Microsoft Windows core kernel and internal messaging subsystem (though we have not seen any published functionality changes), we strongly recommend the following focused testing:
And here's one for Windows focused IT administrators: Microsoft has updated the WinSAT API. This tool is described by Microsoft:
"The Windows System Assessment Tool (WinSAT) exposes a number of classes that assess the performance characteristics and capabilities of a computer. Developers can use this API to develop software that can access the performance and capability information of a computer to determine the optimal application settings based on that computer's performance capabilities."
All these scenarios will require significant application-level testing before general deployment. In addition to these specific testing requirements, we suggest a general test of the following printing features:
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for your line-of-business applications, getting the app owner (doing UAT) to test and approve the results is absolutely essential.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Continuing a welcome trend, Microsoft released 11 updates to its Chromium browser projects (Edge) and no patches to its legacy browsers. You can read more about Microsoft Edge release notes here, noting that Chrome/Edge updates were released on Monday (Aug. 7) not the usual "Patch Tuesday."
Add these browser updates to your standard patch release schedule.
Microsoft released three critical updates, 32 rated as important and one rated as moderate. All (three) of the critical updates to the Windows platform relate to the Windows Message Queuing (MSMQ). Though these critical updates have a rating of 9.8 (that's pretty high), they have not been publicly disclosed or reported as exploited. Not every organization will make use of the MSMQ feature, so for most teams, the testing profile should be pretty light. Add these Windows updates to your standard release schedule.
Microsoft has released three critical updates to Microsoft Outlook (CVE-2023-36895, CVE-2023-29330 and CVE-2023-29328) that require immediate attention. In addition to these patches, Microsoft has released 11 updates rated as important and one rated as moderate. These 12 updates affect Microsoft Office in general and Visio. Add these Office updates to your "Patch Now" release schedule.
Before you do anything, don't update your non-English Microsoft Exchange Servers (2019 and 2016). This month's update will fail mid-way through and leave your server in an "undetermined state." Now that this has (not) been done, you can attend to the six Exchange updates (all rated as important) for this month. No critical updates showed up, so take your time. Note: all these August patches will require a server reboot. Add these updates to your standard release schedule.
Microsoft has released eight updates to the Microsoft .NET and ASP.NET platforms this month. These patches were rated as important and should be included in your standard developer release schedule.
Adobe is back. And we have another "A" to worry about (kinda weird, huh?). APSB23-30 from Adobe patches a critical vulnerability in Adobe Reader — add it to your "Patch Now" schedule. And the other "A"? Following the recent trend of supporting third-party patches in the Microsoft update release cycle (remember the Autodesk update in June?), Microsoft has released CVE-2023-20569; it is related to an AMD memory-related vulnerability. You can read more about this on the AMD site here.
Patching? Sure.
Testing? Not sure.