Microsoft addresses three zero-days for October’s Patch Tuesday

This month, Microsoft has released 103 updates to Windows, Edge, Microsoft Office, and Exchange Server. This update also includes minor updates to Visual Studio. Three zero-days (CVE-2023-44487, CVE-2023-36563 and CVE-2023-41763) require “Patch Now” updates for both Windows and the Edge browser for this October update cycle.

Microsoft has also updated its patch release and notification system with support for RSS feeds and has published its latest Digital Defense Report for this year. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this October update cycle.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.

• Microsoft Server 2022: After installing this month’s update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Microsoft and VMware are both investigating this issue, but there is no published resolution at the time of writing.

Major revisions

Microsoft has published one major revision this month:

• CVE-2023-36794: In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3, as these versions of Visual Studio are also affected by the vulnerability. No further action is required.

Mitigations and workarounds

Microsoft has published the following vulnerability related mitigations for this month’s Patch Tuesday release cycle:

• There are 15 Microsoft Message Queue updates this month, each with a published mitigation from Microsoft that notes, “if the Message Queuing service is enabled and listening on port 1801, then your system is vulnerable.”
• Microsoft offers some limited advice on OLE related vulnerabilities (e.g., CVE-2023-36730) this month with advice to only connect to trusted servers.

Some may question the efficacy of these proffered mitigations.

Testing guidance

Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

One of the hardest areas on the Windows platform (both desktop and server) to update is the Windows Kernel subsystem. This core subsystem manages security, access to low-level services, drivers, and the Hardware Abstraction Layer (HAL). Given its importance, the Kernel layer is key to delivering most services and applications on Windows. Changing this core system generally translates to a high-risk of a component, service, or application not behaving as expected. Thus, testing is key and also very difficult to do right.

This month Microsoft has updated both the Kernel and GDI subsystems at a core level. At Readiness, we have looked at these (GDI and Kernel level) changes, and they are both minor and far-reaching. (This is not a tautology.) Rather than a specific test guidance plan, we recommend a “smoke test” for your commonly used applications and a business logic focused test effort for your critical or line-of-business applications. (Perhaps your top 20 apps?)

All these scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to these listed specific testing requirements, we suggest a general test of the following Windows features:

• Test your Windows Error Reporting systems (logs and error reports with a Create/Read/Update/Delete/Extend (CRUDE) test cycle.
• Watch out for heavy GPU usage (we suggest trying out AutoCAD or Bloomberg).
• Test your VPN connections — a simple connect/disconnect test will suffice this month.
• Due to an update to the Windows WAV file codecs, a small test cycle of audio files should be included for this October update.

Stressing about the latest WordPad security vulnerability? Unfortunately, we still have to test our rich-text-formatted (RTF) files this month as well. This follows on from last month’s Notepad++ vulnerabilities, which included CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 and CVE-2023-40166. At this rate, Microsoft may just decide to remove all (free) text editors from Windows. Office, anyone?

Windows lifecycle update

Over the past few months, we have used this section to detail the forthcoming changes to the Windows ecosystem, such as end of platform support or changes to security updates. This month, we have two major Windows deprecations that have been announced by Microsoft:

1. VBScript — this is a big deal. Yes, the venerable scripting language is both much maligned and much loved by desktop engineers. Its deprecation is a major issue and will affect many (more than you think) application installations and will require some attention.
2. WordPad (what, really?). According to Microsoft, WordPad will no longer be updated and will be removed in a future version of Windows. You can still generate RTF files using the Echo command in a DOS prompt, after setting the generator type, ANSI page, default language, character code, charset, and font. Or you could use Office.

And speaking of life cycles, Happy Birthday to Patch Tuesday — it’s been 20 years since the first properly scheduled update to the Windows ecosystem. Things were pretty chaotic back then, with unscheduled updates distributed through the month. I doubt anyone would have considered just how important security patches/updates would become to the IT community. More than a tradition, Patch Tuesday is now an essential part of IT best practices.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office
• Microsoft Exchange Server
• Microsoft Development platforms (NET Core, .NET Core and Chakra Core)
• Adobe (retired???, maybe next year)

Browsers

Microsoft has adapted to the Chromium release schedule and no longer specifically publishes updates on the second Tuesday of every month. That said, Microsoft has used the release of the patch of CVE-2023-5346 and CVE-2023-5217 this week as a sort of “stub” or proxy for Patch Tuesday Chromium (Edge) updates.

For more information on Microsoft Edge security updates, please refer to the weekly updated Microsoft support page. Both of these vulnerabilities are extremely serious (we consider them zero-days) and should be added to your “Patch Now” browser update schedule, Patch Tuesday or not.

Windows

This October, Microsoft released 13 critical updates and 68 patches rated as important to the Windows platform that cover the following key components:

• Windows Message Queuing
• Windows Win32K and Kernel
• Windows RDP, Layer 2 Tunnelling Protocol and Windows TCP/IP
• Windows Error Reporting
• Windows Common Log File System Driver
• Windows OLE, ODBC, and SQL Providers

The key challenges relate to the critical updates to the Message Queuing feature in Windows. Adding the kernel, core GDI updates, and networking issues means that this month we need to add this Windows update to your “Patch Now” release schedule.

Microsoft Office

We can breathe a little easier this month as Microsoft has released only seven updates (all rated as important) for the Office platform. Ignoring Skype for Business (which everyone else does), this month Microsoft delivers patches to complex, difficult-to-exploit security vulnerabilities that have not been publicly disclosed. Add these low-profile Office updates to your standard release schedule.

Microsoft Exchange Server

Microsoft has released a single update for Microsoft Exchange this month. This vulnerability affects all supported versions of Exchange Server and has been rated as important by Microsoft. Microsoft Exchange server updates this month will require a server reboot — for all versions. Add this update to your standard update release schedule for this October Patch Tuesday.

Microsoft Development Platforms

Excluding the Mitre Rapid Reset (CVE-2023-44487) issue covered below, Microsoft has released three relatively straightforward updates to the Visual Studio development platform. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but just not this month)

No updates from Adobe for Reader or Acrobat this month.

HTTP/2 Rapid Reset Vulnerability

Finally, let’s discuss the HTTP/2 Rapid Reset (CVE-2023-44487) vulnerability. This distributed denial-of-service (DDOS) attack has been reported as exploited in the wild since this past August. As it affects more than just Microsoft Windows, I have included some helpful links (provided by CISA) on this serious vulnerability.

• Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack
• Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
• AWS: CVE-2023-44487 – HTTP/2 Rapid Reset Attack
• NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products

Microsoft has posted a detailed detailed blog entry entry on the Rapid Reset issue that includes advice on patching web applications, enabling Azure Web Application firewall and configuring Azure Front Door.