Americas

  • United States

Asia

greglambert
Contributor

With three zero-days, it’s a patch-now Patch Tuesday for May

analysis
May 17, 20249 mins
MicrosoftSecurityWindows

This is one of those months where it’s important to roll out Microsoft’s latest round of fixes as soon as you can.

Windows update
Credit: Clint Patterson / Unsplash

Microsoft released 62 updates on Patch Tuesday this week, with three zero-days (CVE-2024-30051, CVE-2024-30046, and CVE-2024-30040) forcing a “patch now” deployment guidance for Windows desktops. Adobe is back with a “Patch Now” update, while Microsoft Office, Edge browsers and Microsoft’s development platform (Visual Studio and .NET) can be dealt with using standard release schedules. 

Unusually for Azure updates, the Readiness team recommends particular attention be paid to an Azure Agent update (CVE-2024-30060), as it can affect corporate VM’s (associated with testing or development platforms). The team has provided an infographic outlining the risks associated with each of the updates for this month’s cycle. 

Known issues 

Each month, Microsoft publishes a list of known issues related to the operating system and platforms included in each cycle; the following two reported minor issues:

  • Windows devices using more than one monitor might experience issues with desktop icons moving unexpectedly between monitors or other icon alignment issues when attempting to use Copilot in Windows (in preview). Yes, Microsoft is still working on this one.
  • There appears to be an issue with how Windows clients receive their updates after installing KB5034203. Instead of downloading from their peers or designated enterprise update endpoints, clients that use DHCP option 235 will download from the internet instead. Aside from the (serious) security concerns in getting your updates from outside your organization, some clients will see a significant increase in their internet traffic.

And for all you Windows 11 users, Microsoft has reported that after installing this update you might not be able to change your profile photo from the default. (For many, this is a good thing.)

Major revisions 

This month, Microsoft published the following major revisions to past security and feature updates:

  • CVE-2024-30009: Windows Routing and Remote Access Service (RRAS) Remote Code Execution. The FAQs were updated for this Microsoft patch. This is an information change only.
  • CVE-2024-30044: Microsoft SharePoint Server Remote Code Execution Vulnerability. Microsoft updated the documentation, added a FAQ, and updated the CVSS score for this critical update.
  • CVE-2024-30046: Visual Studio Denial of Service Vulnerability. Microsoft has revised the Security Updates table to include .NET 7.0 and .NET 8.0 as these versions of .NET are now affected by this vulnerability. 

I’m not sure where to place this latest (and late) addition to the May patches. Microsoft released a major update (CVE-2024-30060) to the Azure agent (we use this Microsoft tool for our Azure-based application packaging, conversion and testing Virtual Machines). If you are using Azure-based VMs, this update will be important for all your builds. Unfortunately, this vulnerability has been publicly disclosed and adds to our tally of May Patch Tuesday zero days.

Mitigations and workarounds 

As of May 17, Microsoft has not published any mitigations or workarounds for this month’s patch cycle.

Testing guidance

Each month, the team at Readiness analyzes the latest updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.

We have grouped the critical updates and required testing efforts into functional area including:

Microsoft Office

  • A change to how OLE handles web content will require a test scenario for embedding and loading external web content (text, images and video).

Microsoft .NET and developer tools

  • Microsoft SQL server updates will require a test of new connections with different versions of SQL Server. Line-of-business (LOB) applications that rely on SQL server connections will require a full UAT before releasing this month’s developer update.

Windows

The following core Microsoft features have been updated and might require attention:

  • The updates to the Windows Common Error log feature (CLDFLT.SYS) will require testing of creating, reading, updating and deleting (CRUD) log files.
  • DNS updates will require testing for non-existing domains registered in each managed zone.
  • This month’s update to the Microsoft Crypto library will require tests of new creation and deletion.
  • Microsoft’s Routing and Remote Access Servers (RRAS) servers will require light testing for valid connections.
  • Smartcard access to Microsoft Windows desktops will require basic access testing.

Aside from updating several key features on the Windows desktop platform, Microsoft also updated the way the following APIs are handled:

These are tough updates to test properly, as you need a detailed list of what applications depend upon (and actually use) these APIs. 

Automated testing will help (especially a testing platform that offers a “delta” or comparison between builds). However, for LOB apps, getting the application owner (doing UAT) to test and approve the results is absolutely essential. 

This month, Microsoft made a major (general) update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio.

Windows lifecycle update 

This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • Support for Windows 10 (21H2) ends this month. In fact, support ends before the next Patch Tuesday. This is serious now, people.
  • Microsoft SQL Server (2014 SP3 CU4): the final stage of support (aka Security Support) ends in five weeks.
  • Microsoft Visual Studio 2022 loses full support in less than two months.

Each month, we break down the update cycle into product families with the following basic groupings: 

  • Browsers (Microsoft IE and Edge) 
  • Microsoft Windows (both desktop and server) 
  • Microsoft Office
  • Microsoft SQL Server (not Exchange Server) 
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far) 

Browsers

Microsoft and the Chromium project have been releasing patches to both Chrome and Edge every three or four days since the latest major update in April. So far, there are now seven updates to Chrome (with the recent addition of CVE-2024-30056), all of which are rated important. These security vulnerabilities relate to memory handling and “use after free” issues but have not been reported as exploited or publicly disclosed. Add these updates to your standard release schedule.

Windows

Microsoft published 46 updates for the Windows desktop and server updates. For this (much smaller) release to the Windows desktop platform, the following functional areas have been updated:

  • Windows Common Log File System Driver Windows Hyper-V;
  • Windows Cryptographic Services;
  • Windows DHCP Server;
  • Windows NTFS;
  • Windows Win32K – ICOMP;
  • Windows RRAS and Remote Access Connection Manager.

Unfortunately, we have three zero-days (CVE-2024-30051, CVE-2024-30046, and CVE-2024-30040) that affect the Windows platform. The team at Readiness has already discovered several applications that are particularly vulnerable to the DWM vulnerability (CVE-2024-30051) which could lead to full SYSTEM (caps added by Microsoft) privileges on the compromised system. Add this update to your “Patch Now” schedule.

Microsoft Office 

Microsoft released just three updates for the Office platform. CVE-2024-30042 addresses a remote code execution vulnerability in Excel that is both challenging to exploit and non-wormable. The other updates relate to Microsoft SharePoint. All are rated important and should be added to your standard desktop release schedule. 

Microsoft SQL Server (not Exchange Server)

Microsoft has not released any patches for Exchange Server but did push out a single update (CVE-2024-30054) rated important for SQL Server. This update to SQL Server Power BI feature really belongs in the developer release cycle, as it updates Software Development Kit (SDK). Add this to your standard developer release schedule.

Microsoft development platforms 

Microsoft released four updates to the development platform, affecting Visual Studio and .NET for those deploying and managing desktop patches. Add these to your standard developer release schedule.

Adobe Reader (if you get this far) 

We are back! Adobe released an update to Adobe Reader (APSB24-29) covering 12 memory related and “use after free ” security vulnerabilities that have a serious rating of 8.8. This attracts a “Patch Now” rating from the Readiness team due to Adobe Reader’s tight integration with the Windows desktop ecosystem.

greglambert
Contributor

Greg Lambert is an evangelist for Application Readiness, the online assessment and application conversion specialists. Greg is a co-founder of ChangeBASE, and now CEO of Application Readiness, and has considerable experience with application packaging technology and its deployment.

The opinions expressed in this blog are those of Greg Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.