Americas

  • United States

Asia

greglambert
Contributor

Microsoft delivers a light Patch Tuesday for June

news analysis
Jun 14, 20247 mins
MicrosoftSecurityWindows

This month's Patch Tuesday release included 49 updates, but no major zero-day flaws.

IDGConnect_patchmanagement_applications_shutterstock_2074770283_1200x800
Credit: Shutterstock

Microsoft this week released 49 updates (including two recent additions) on Patch Tuesday with no reported zero-day flaws, public disclosures, or newly released working exploits for the Microsoft ecosystem. This came as welcome news and is paired with low-risk changes to Microsoft Office. The company’s development platforms saw minor updates to Visual Studio, and both SQL Server and Microsoft Exchange were patch free for the month.

The team at Readiness has provided a useful infographic outlining the risks associated with each of the updates. 

Known issues 

Each month, Microsoft publishes a list of known issues that are part of the latest update cycle, including the following reported minor issues:

  • After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is still working on this one. In the meantime there is a workaround that involves setting the Cache Hostname to 1. 

We recognize and respect Microsoft’s recent efforts with artificial intelligence (note, I did not say “AI” as that is an Apple thing now) but it would be nice if Microsoft resolved the profile picture (that you can’t change) known issue soon. 

Major revisions 

Microsoft published the following major revisions to past security and feature updates including:

  • CVE-2024-30080: (see below for mitigations). This patch was updated late in the June release cycle. As this was an information update, no further action is required, unless you want to action the Microsoft recommended mitigations.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations:

  • CVE-2024-30070: DHCP Server Service Denial of Service Vulnerability. Microsoft (helpfully) notes that if you’re not using DHCP, you are not affected by this potential vector for DDOS attacks. 
  • CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Message Queuing security issues are tough to find, mitigate and test, so this might need some careful attention from your internal developers. At the very least, ensure that you have changed your ports from the MSMQ listening default (1801) to help reduce your attack surface. Microsoft also recommends you check to see whether the MSMQ HTTP-Support feature is enabled.

The team at Readiness analyzed the latest Patch Tuesday updates to provide detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas including:

Microsoft Office

  • Microsoft SharePoint will require basic document opening and multi-user access tests this month.

Microsoft .NET and Developer Tools

  • There are no updates to Microsoft .NET requiring application portfolio testing this month.

Windows

The following core Microsoft features have been updated:

  • Changes to Secure Boot will require testing of all third-party drivers.
  • Code integrity policies need to be verified for Windows Lockdown (WLDP), Windows Defender Application Guard (WDAG) and the Windows Driver Policy for Intune deployments. We recommend you test your Windows desktop sandbox and ensure that it boots correctly.
  • Changes to Windows networking will require testing at least two DHCP servers.
  • Remote desktop-related updates will require VPN connection tests. Try some administrative commands from the Microsoft Management console (MMC) such as adding, connecting and disconnecting VPN connections.

This month’s update also affects several core systems such as Kernel32 and Win32K.SYS sub-systems. Unfortunately, these changes affect how applications behave at a fundamental level, which makes testing not just hard, but broad and expansive across your application portfolio. The Readiness team suggests that the following general application tests be performed against all of your core line-of-business applications.

  • Test as many windows and pop-ups as possible.
  • Check window title bars for errors, or poorly formatted text.
  • Check for unusual items in the Windows taskbar.
  • Thoroughly test File explorer (sorry about that).
  • Test multiple applications, with multiple windows.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for your line-of-business apps, getting the application owner (doing UAT) to test and approve the results is essential. 

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • Windows 10 Enterprise and Education, Version 21H2 will no longer be serviced as of June 11, 2024

For those planning ahead, Oct. 8, 2024, is a big day as Microsoft will no longer offer general servicing for the following desktop platforms:

  • Windows 11 Enterprise and Education, Version 21H2
  • Windows 11 Home and Pro, Version 22H2
  • Windows 11 IoT Enterprise, Version 21H2

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server) 
  • Microsoft Office
  • Microsoft Exchange Server 
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far) 

Browsers

Microsoft has released seven minor updates to the Chromium-based browser (Edge), while the Chromium project has added six additional updates this week. These updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule. 

Windows

This month, Microsoft released one critical update (CVE-2024-30080) and 32 patches rated as important for Windows, covering the following key components: 

  • Windows Win32 Kernel Subsystem, GRFX and drivers
  • Networking (Wii-fi) and DHCP
  • Storage and Error Reporting
  • Crypto and BitLocker

The critical-rated patch relates to the core, but not often used, Message Queuing service (MSMQ) that could affect internal applications. Unusually, this patch has already been updated since the main release on Tuesday. That said, the Readiness team believes all these Windows patches can be added to your standard release schedule.

Microsoft Office 

There were no critical updates for Office this month, and only five patches rated as important. All five have low potential for exploitability (no worms, add-in vulnerabilities or Word macro issues) and should be added to your regular Microsoft Office update schedule.

Microsoft Exchange Server 

No updates for Microsoft Exchange Server or SQL Server this month, which, of course, is a good thing. 

Microsoft development platforms 

Microsoft released just three updates to Microsoft Visual Studio. These patches affect versions of the Microsoft developer platform from 2017 to 2022. All of the proposed changes are low risk and application specific. Add these updates to your standard developer release schedule.

Adobe Reader (if you get this far) 

We are back to the usual state of things, and Microsoft has not chosen to include any Adobe products this release cycle. This is a very good thing.

greglambert
Contributor

Greg Lambert is an evangelist for Application Readiness, the online assessment and application conversion specialists. Greg is a co-founder of ChangeBASE, and now CEO of Application Readiness, and has considerable experience with application packaging technology and its deployment.

The opinions expressed in this blog are those of Greg Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.