A haunting Patch Tuesday for October: 117 updates (and 5 zero-day flaws)

This month’s Patch Tuesday delivers a large set of patches from Microsoft that fix 117 flaws, including five zero-day vulnerabilities (CVE-2024-43573, CVE-2024-6197, CVE-2024-20659, CVE-2024-43572 and CVE-2024-43583). 

Though there are patches affecting Windows, SQL Server, Microsoft Excel and Visual Studio, only the Windows updates require a “Patch Now” schedule — and they’ll need a significant amount of testing because they cover a lot of features: networking, kernel and core GDI components and Microsoft Hyper-V. Printing should be a core focus for enterprise testing and the SQL Server updates will require a focus on internally developed applications. 

The team at Readiness has crafted this infographic outlining the risks associated with each of the October updates. A rundown of recent Patch Tuesday releases is available here.

Known issues 

There were a few reported issues for the September update that have now been addressed, including:

Remote desktop and gateway connectivity issues.

SharePoint Server deserialization issues with custom types.

These are relatively minor concerns compared to dealing with recent problems deploying Windows 11 24H2. Covering both compatibility and security challenges, these include:

The Safe Exam browser may fail to load. Version 3.7 of this application is currently “hard-blocked” by Microsoft until further notice. This means Microsoft has updated the list of applications that are currently not allowed to run on the target platform.

Fingerprint sensors and readers may not function as expected. According to Microsoft, a firmware update should resolve the issue.

Compatibility issues with specific sound cards (Intel Smart Sound) could cause them to stop working properly.

These problems are likely to be resolved with application and firmware updates rather than Microsoft patches and primarily affect users upgrading to Windows 11 24H2. That said, Microsoft has advised there are problems with the “first build” or out-of-box installation of this latest Microsoft release. We suggest that enterprises wait until the next release before serious testing and deployment.

Major revisions

This month, Microsoft published the following major revisions: 

CVE-2024-38163: Windows Update Stack Elevation of Privilege Vulnerability. This is a low-level administrator (WinRe) vulnerability that has neither been publicly exploited nor disclosed. This is a documentation update; no further action is required.

CVE-2024-38016: Microsoft Office Visio Remote Code Execution Vulnerability. This “remote code” security issue actually requires local access to succeed. It has not been reported as exploited in the wild and Microsoft has provided an official fix. This is a documentation update only; no further action needed. 

Testing Guidance

Each month,  Readiness analyzes the latest updates and provides detailed, actionable testing guidance based on a large application portfolio and the patches’ potential impact on the Windows platforms and app installations.

We’ve grouped the critical updates and required testing into separate product and functional areas including:

Microsoft SQL Server

With two updates this month, desktop (or client) testing will be required for data-driven applications. We recommend that the following SQL-related tests be included for October:

Validate SQL Commands and stored procedures.

Ensure data “Refresh” operations perform correctly with Microsoft Active Data (ADOX) objects. These are difficult operations to debug due to the generally large number of inter-connected objects (databases and systems) and the business criticality of these systems. Start early on this effort.

Test queries that accept large numbers of parameters. SQL parameter boundary testing is probably a good idea.

Windows

While the primary testing scenario for this update is really to test printing, there is a lot to check. Microsoft has made significant changes to broad areas in networking, low-level changes to the Kernel and graphics handler (GDI), and updates to core features including Microsoft Hyper-V. A feature-by-feature testing regime should include:

Networking: Test large file transfers (include IPv6) over remote desktop connections, VPNs and varied network conditions. Web browsing tests should include multiple simultaneous connections — and messaging applications such as Microsoft Teams should be included in this cycle.

Security: Ensure that (internal) code still performs cryptographic functions accurately using RSA keys. Authentication should work correctly between both Microsoft and Linux systems. A validation of Kerberos client authentication will also be required.

Remote Desktop: updates to Microsoft Routing and Remote Access Server (RRAS) server will require remote access administrative action testing. Remote desktop licensing will require functionality testing. And the remote desktop related APIs MprConfigFilterSetInfo and MprInfoBlockRemove  have been updated, so internally developed systems that connect with RRAS will require an authentication test.

Windows Error Logs: Due to a change in the Windows Common Logging File System (CLFS) a quick test of resultant container files is required.

Again, the primary focus should be on testing printing. Rather than a simple (does it actually print) test, more complex print-related checks are required, including:

Validating text rendering and formatting for entire documents;

Starting, stopping and disabling printer queues;

Printing across a “matrix” of 32- and 64-bit platforms that includes variations of both desktop and server environments. The main challenges will be found with 32-bit applications on 64-bit platforms (Adobe Reader, we’re looking at you). 

Install and uninstall third-party software management software on both platforms.

Windows lifecycle and enforcement updates

This section includes important changes to servicing, significant feature deprecations and security-related enforcements across the Windows desktop and server platforms.

Windows 11 Enterprise Version 21H2 Microsoft servicing support ended on Oct. 8, 2024.

Mitigations and workarounds 

Microsoft published the following mitigations applicable to this Patch Tuesday.

CVE-2024-43609: Microsoft Office Spoofing Vulnerability. Microsoft has published additional documentation on setting Group Policy Objects (GPOs) referencing the Restrict Outgoing NTLM traffic to remote servers policy that will reduce the scope of this security issue through improved connection request auditing and reporting.

CVE-2024-38124: Windows Netlogon Elevation of Privilege Vulnerability. While not offering specific settings or security configurations, Microsoft does offer advice on how to reduce the impact of this vulnerability with best practice guidance on server naming conventions, name change reporting/auditing and employing multi-factor authentication.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange Server 

Microsoft Development platforms (ASP.NET Core,.NET Core and Chakra Core)

Adobe (if you get this far) 

Browsers 

Microsoft released just three updates for the Chromium browser project specific to Microsoft Edge:

CVE-2024-7025: Integer overflow in Layout.

CVE-2024-9369: Insufficient data validation in Mojo.

CVE-2024-9370: Inappropriate implementation in V8.

The Chromium project has provided a very handy dashboard for its latest releases and testing status. Add these browser updates to your standard release schedule.

Windows 

Microsoft released one patch with a critical rating and 92 patches rated important. This month, the following key Windows features have been updated:

Windows Kernel and Graphics

Microsoft SQL and OLE DB provider for SQL

Windows Print, Telephony and FAX

Windows NTFS, storage port and Common Log Systems

Remote Desktop and Networking

Unfortunately, Microsoft had to deal with five zero-days (CVE-2024-43573, CVE-2024-6197, CVE-2024-20659, CVE-2024-43572 and CVE-2024-43583) due to reports of public disclosure and exploits in the wild. Put these on your “Patch Now” schedule.

Microsoft Office 

Microsoft published six updates (all rated important) for the Office platform. These updates do not include any preview pane or reported zero-click vulnerabilities and only affect Excel and SharePoint. Add these to your standard Office update schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for Microsoft Exchange Server. However, Microsoft released two updates to Microsoft SQL Server product group (CVE-2024-43481 and CVE-2024-43612); add them to your standard server update schedule.

Microsoft development platforms

Microsoft released a single update rated critical (CVE-2024-43488) to Visual Studio and eight further updates (all rated important) to the Microsoft.NET platform. None of these security issues have been reported as exploited or publicly disclosed, so add them to your standard developer release schedule.

Adobe Reader (and other third-party updates)

Microsoft did not publish any Adobe Reader related updates. That said, there are critical updates for both Reader and Acrobat that deserve attention. Microsoft included an update for another third-party application (CURL) that addresses a free memory buffer overflow vulnerability (CVE-2024-6197) — just like Reader used to do). The assigning CNA for this issue is named as HackerOne, which we find endearing.