Microsoft Rolls Out Patch Tuesday Update Addressing 130 Security Vulnerabilities and Four Zero-Day Exploits
In its recent Patch Tuesday update, Microsoft has addressed a total of 130 security vulnerabilities, along with publishing two advisories and providing four major CVE revisions. Additionally, the update deals with four zero-day exploits for Windows, which has prompted the company to recommend an immediate patching schedule for affected systems.
This month’s focus will be primarily on Microsoft Office and Windows testing, as there are no updates for Adobe, Exchange, or web browsers. However, it is essential to pay close attention to Microsoft’s Storm 0978, as it provides specific instructions on how to manage a significant HTML vulnerability present in Microsoft Office (CVE-2022-38023).
To assist users, Microsoft’s Readiness team has created an infographic outlining the risks associated with each update. It is crucial to be aware of any known issues mentioned by Microsoft, especially in relation to operating systems and platforms. For instance, one known issue affects Windows Server 2022 on VMware ESXi, causing startup problems for guest virtual machines with Secure Boot enabled. Microsoft and VMware are currently investigating this issue.
Furthermore, Microsoft has published two major revisions: CVE-2022-37967, which focuses on Windows Kerberos Elevation of Privilege Vulnerability, and CVE-2022-38023, addressing Netlogon RPC Elevation of Privilege Vulnerability. These revisions introduce changes to enhance security and mitigate potential threats.
In terms of mitigations and workarounds, Microsoft recommends taking precautions for vulnerability CVE-2023-32038, an ODBC driver remote code execution vulnerability. Users are advised to only connect to known and trusted servers to prevent any potential exploitation. Additionally, Microsoft advises users of Microsoft Defender to be cautious and read the Threat Intelligence post (Storm-0978) for a better understanding of the situation.
Another significant update to be mindful of is CVE-2023-36884. This zero-day exploit affects both Office and Windows and has been actively exploited. Users are advised to ensure they are using Microsoft Defender for protection.
To ensure a smooth deployment, Microsoft’s Readiness team offers guidance on testing procedures. It is recommended to test the HTTP3 protocol, particularly with Microsoft Edge, for those using internal web or application servers. Testing is also advised for the networking stack, including RRAS routers, domain servers, encryption and crypto configurations, and backups.
For Windows desktop and server platforms, Microsoft has announced that Windows 11, version 21H2, will reach the end of servicing on October 10, 2023. This applies to the editions released in October 2021, such as Windows 11 Home, Pro, Education, and Pro for Workstations.
In terms of updates for specific product families, Microsoft does not have any browser updates this cycle. However, there are eight critical updates and 95 important patches for the Windows platform. It is important to prioritize the resolution of CVE-2023-36884, as it has been publicly disclosed and exploited. Another zero-day exploit, CVE-2023-32046, further emphasizes the urgency to patch Windows systems immediately.
In terms of Microsoft Office, there are two critical updates for SharePoint and 14 important updates. However, the main concern lies with CVE-2023-36884, which directly affects Office and the handling of HTML data. Testing of Office patches should coincide with the Windows update release schedule.
Thankfully, there are no updates for Microsoft Exchange Server this month. In terms of Microsoft development platforms, there are only five updates affecting Visual Studio, ASP.NET, and a minor component of Mono.
Overall, this month’s Patch Tuesday update emphasizes the importance of promptly patching Windows systems and closely monitoring vulnerabilities in Microsoft Office. By following the recommended testing procedures, users can ensure the security and stability of their systems.
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years. I have a wealth of knowledge to share with my readers, and my goal is to help them navigate the ever-changing world of cryptocurrencies.
