This month’s Patch Tuesday release is a big one

Microsoft released 149 updates in this month’s Patch Tuesday release, though there were no reports of public disclosures or other zero-days for the Microsoft ecosystem (Windows, Office,.NET). This update is very large, complex and will require some testing time, especially for the OLE, ODBC and SQL focused updates and their impact on complex applications. 

Microsoft also moved to make it easier to understand security-related CVE entries much easier by adopting the new CWE vulnerability reporting standard. The team at Application Readiness has provided this infographic detailing the risks associated with the April updates. 

Known issues 

Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle, including these two reported minor issues:

After you install KB5034203 or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is actively working on this issue, and so we should expect an update soon.

Some users of Windows Server 2008 will see messages that say, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” when attempting to update legacy devices. This may be a result of an improperly configured ESU configuration. Microsoft has recently updated its guidelines on acquiring and configuring ESU keys, which may help those still struggling.

Major revisions 

This month, Microsoft published these revisions to past updates:

CVE-2022-0001: Branch History Injection. Reason for revision: Corrected one or more links in the FAQ. This is an informational change only. No further action required.

CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability: Updated FAQs to include information on how to be protected from this vulnerability for customers running Windows 11 23H2 or Windows Server 2022, 23H2 Edition. No further action required.

CVE-2013-3900: WinVerifyTrust Signature Validation Vulnerability.

Microsoft has updated the FAQ documentation to inform customers that EnableCertPaddingCheck is data type REG_SZ (a string value) and not data type dword. When you specify ‘EnableCertPaddingCheck” as in “DataItemName1″=”DataType1:DataValue1” do not include the date type value or colon. This will mitigate the impact of this vulnerability.

There was a significant update to the Kerberos security system within Windows, too, with a change to an existing patch (CVE-2024-21427). Microsoft has removed all supported versions of Windows 11 as they are no longer affected by the vulnerability. (Looks like another reason to upgrade to the latest Windows desktop.)

Mitigations and workarounds

Microsoft released the following vulnerability-related mitigation:

CVE-2024-26232: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Microsoft helpfully notes that the MSMQ feature is rarely needed and can be disabled, reducing exposure to this vulnerability. Yep.

Each month, the Readiness team analyzes the latest updates and provides detailed, actionable testing guidance; the recommendations are based on a large application portfolio and detailed analysis of the patches and their potential impact on Windows and apps.

For this release cycle, we grouped the critical updates and required testing efforts into functional area including:

File management

Test scenarios involving tar.exe or the native support of archives in Windows.

Test end-to-end scenarios involving File Management Tasks and Storage Reports Management.

Crypto (local security mechanisms)

Test scenarios that utilize Crypto APIs. Please pay special attention to any operation that relies on CryptDecodeObject or CryptDecodeObjectEx. 

Test your cryptographic operations and key generation, particularly in VTL1 environments.

Test out variations of replications on different types and sizes of files and folders. 

Networking (DHCP and DNS)

Test functional scenarios where Client DUID is a required parameter. 

Send Message with VendorOption of DomainName. 

Check whether the client UID is provided to the RPC API.

Test DNS virtual instance and zone management scenarios.

Remote desktop and connections

Test out point-to-point connections and RRAS servers using the MPRAPI protocols. 

Test your VPN connections with a connect/disconnect, delete and repeat test cycle.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” for comparison between builds). However, for your line-of-business apps getting the application owner (doing UAT) to test and approve the results is absolutely essential. 

There have been a large number (24 of this month’s total of 164) of updates to Microsoft SQL components in Windows and to how OLE operates with other Windows features. Applications that require these kinds of “cooperative” interactions are generally complex line-of-business applications. Trouble-shooting these update scenarios requires specialist application expertise and can be very time consuming. 

To prevent downtime, expensive faults and potentially damaging compliance issues, we fully recommend an audit of your application portfolio, identifying SQLOLE, OLEDB, and ODBC dependencies with an assessment and testing plan before general deployment of this month’s patches.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

Windows 10 21H2 (E) ends in June 2024.

Microsoft.NET 7.0.18 (support ends this month).

Microsoft Visual Studio (2022 – 17.4 LTSC) support ends this month.

PowerShell 7.3 main support ends May 8, 2024.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge);

Microsoft Windows (both desktop and server);

Microsoft Office;

Microsoft SQL Server (not Exchange Server);

Microsoft Development platforms (ASP.NET Core,.NET Core and Chakra Core);

Adobe (if you get this far).

Browsers

Microsoft released just five updates to its Chromium-based browser, all rated important. Note that the next release for this browser platform is the week of April 18. Chromium releases are now out of sync with Microsoft Patch Tuesday updates. Add these updates to your standard patch release schedule. 

Windows

For this (mammoth) release to the Windows platform, the following broad areas have been updated.

Windows RAS, ICS, RRAS.

Windows Message Queuing.

Windows Cryptographic Services, BitLocker, Kerberos and LSASS.

Windows Distributed File System (DFS).

Windows DHCP Server.

Microsoft WDAC OLE DB provider for SQL.

Windows Telephony Server.

This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild and if you are on a modern platform (Windows 10/11) all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule. 

Microsoft Office

Microsoft released only two patches (CVE-2024-26251 and CVE-2024-26257) for the Microsoft Office suite affecting Excel and SharePoint. Both updates are rated important by Microsoft and should be included in your standard Office update schedule.

Microsoft SQL Server (not Exchange Server)

In place (and instead) of Microsoft Exchange Server, we have a special guest this month: Microsoft SQL Server. Microsoft released 38 patches for its database platform, making it one of the largest, most complex and technically challenging updates in memory. 

The important thing to note here is that these updates affect how OLE (object linking and embedding), ODBC and SQL Server operate. As a critical middle layer for most business applications, this update will require significant attention from your in-house development, testing and deployment teams. It is not just a big update. It’s the multiplicative, interdependent nature of multiple cooperating systems that are being updated. Really, really. 

Microsoft development platforms 

Microsoft released 11 updates to the development platform, with 10 focused on Microsoft SQL ODBC issues within Microsoft Visual Studio and the other update impacting Microsoft.NET (CVE-2024-21409). This month’s.NET vulnerability has remote in the name, but it requires a local account (and permissions) and so can be added to your standard developer release schedule. The other 10 affecting SQL and ODBC? Your in-house development team will have to have an in-depth look at these updates. It could be really messy, so take your time.

Adobe Reader (if you get this far) 

No Adobe updates from Microsoft this month. And (lucky us) there are no other updates to third-party tools or platforms included in this update cycle.
Microsoft, Security, Windows, Windows 10, Windows 11, Windows Security