Microsoft Releases 103 Updates Covering Windows, Office, and More
This October, Microsoft has rolled out a significant update that includes 103 updates for Windows, Edge, Microsoft Office, and Exchange Server. Addition to these updates, minor updates for Visual Studio have also been included. Among these updates, there are three zero-day vulnerabilities (CVE-2023-44487, CVE-2023-36563, and CVE-2023-41763) that require immediate action for both Windows and Edge browser users.
In order to enhance its patch release and notification system, Microsoft has added support for RSS feeds. Furthermore, the company has also published its latest Digital Defense Report for this year. To assist users in understanding the risks associated with each update, the Application Readiness team has created an infographic outlining the potential threats.
As with every update, there are known issues that users should be aware of. One of the issues discovered is related to Windows Server 2022, where guest virtual machines running Windows Server 2022 on certain versions of VMware ESXi may not start up after installing this month’s update. Microsoft and VMware are currently investigating this matter.
Microsoft has made one major revision this month, specifically with regards to CVE-2023-36794. In the Security Updates table, Microsoft has added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3, as these versions are also affected by the vulnerability. No additional action is required for users.
For vulnerability-related mitigations, Microsoft has provided guidance for the Microsoft Message Queue updates, advising that systems with the Message Queuing service enabled and listening on port 1801 are vulnerable. Additionally, there are recommendations for OLE-related vulnerabilities, suggesting users only connect to trusted servers. However, the efficacy of these mitigations may be questioned by some.
To ensure a smooth and secure update, the team at Readiness has analyzed the latest Patch Tuesday updates and provided detailed testing guidance. Since updating the Windows Kernel subsystem can pose risks, thorough testing is recommended. Notably, Microsoft has made updates to both the Kernel and GDI subsystems this month. While these changes are minor, they have far-reaching implications. It is suggested to conduct a “smoke test” for commonly used applications and focus on business logic testing for critical or line-of-business applications.
In addition to these specific testing requirements, several Windows features should be tested, including Windows Error Reporting systems, GPU usage, VPN connections, Windows WAV file codecs, and rich-text-formatted (RTF) files. It is crucial to prioritize application-level testing before deploying this month’s update.
This month, Microsoft has announced two major Windows deprecations. VBScript, the scripting language used by many desktop engineers, will be deprecated, affecting numerous application installations. Additionally, WordPad will no longer receive updates and is expected to be removed in a future version of Windows. Alternatives such as generating RTF files through a DOS prompt or using Office are recommended.
Celebrating the 20th anniversary of Patch Tuesday, Microsoft reflects on the importance of scheduled updates to the Windows ecosystem. Patch Tuesday has become an essential part of IT best practices.
In terms of product families, Microsoft has released updates for browsers, Microsoft Windows (desktop and server), Microsoft Office, Microsoft Exchange Server, and Microsoft Development platforms. Notably, Microsoft has aligned with the Chromium release schedule for Edge updates.
For browsers, Microsoft has highlighted two serious vulnerabilities, CVE-2023-5346 and CVE-2023-5217, which should be patched immediately, regardless of Patch Tuesday.
Windows users should pay attention to the 13 critical updates and 68 important patches released this month. These updates cover various key components, including Windows Message Queuing, Windows Win32K and Kernel, RDP, Layer 2 Tunnelling Protocol, Windows Error Reporting, Windows Common Log File System Driver, and more.
In terms of Microsoft Office, only seven important updates have been released, addressing complex security vulnerabilities.
Microsoft Exchange Server has received a single important update that affects all supported versions and requires a server reboot.
For Microsoft Development Platforms, three updates have been released for Visual Studio.
There are no updates from Adobe for Reader or Acrobat this month.
Lastly, the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) has been a cause for concern, as it has been actively exploited since August. Microsoft advises users to patch their systems accordingly.
Overall, it is crucial for users to stay up to date with these updates and ensure proper testing before implementing them to maintain the security and functionality of their systems.
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years. I have a wealth of knowledge to share with my readers, and my goal is to help them navigate the ever-changing world of cryptocurrencies.
