WWW.COMPUTERWORLD.COM
For November, Patch Tuesday includes three Windows zero-day fixes
Microsofts November Patch Tuesday release addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office and three zero-day vulnerabilities (CVE-2024-43451,CVE-2024-49019andCVE-2024-49039) that mean a patch now recommendation for Windows platforms. Unusually, there are a significant number of patch re-releases that might also require administrator attention.The team atReadinesshas provided this infographicoutlining the risks associated with each of the updates for this cycle. (For a rundown of recent Patch Tuesday updates, see Computerworlds round-up here.Known issuesThere were a few reported issues for the September update that have been addressed now, including:Enterprise customers are reporting issues with theSSHservice failing to start on updated Windows 11 24H2 machines. Microsoft recommended updating the file/directory level permissions on the SSH program directories (remember to include the log files). You can read more about this official workaroundhere.It looks like we are entering a new age ofARM compatibility challenges for Microsoft. However, before we get ahead of ourselves, we really need to sort out the (three-month old) Roblox issue.Major revisionsThis Patch Tuesday includes the following major revisions:CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This update was originally published in 2013 via TechNet. This update is now made available and is applicable to Windows 10 and 11 users due to a recent change in theEnableCertPaddingCheckWindows API call. We highly recommend a review of this CVE and its associated Q&A documentation. Remember: if you must set your values in the registry, ensure that they are type DWORD not Reg SZ.CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the same week, and the vulnerability has been publicly disclosed, its time to pay attention. Before you apply this Exchange Server update, we highly recommend a review of the reportedheader detectionissues and mitigating factors.And unusually, we have three kernel mode updates (CVE-2024-43511,CVE-2024-43516andCVE-2024-43528that were re-released in October and updated this month.These security vulnerabilities exploit arace conditionin Microsofts Virtualization Based Security (VBS). Its worth a review of themitigating strategies while you thoroughly test these low-level kernel patches.Testing guidanceEach month, theReadinessteam analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows platforms and application installations.For this release cycle, we have grouped the critical updates and required testing efforts into separate product and functional areas including:Networking:Test end-to-end VPN, Wi-Fi, sharing and Bluetooth scenarios.Test out HTTPclients over SSL.Ensure internet shortcut files (ICS) display correctlySecurity/crypto:After installing the November update on your Certificate Authority (CA) servers, ensure that enrollment and renewal of certificates perform as expected.Test Windows Defender Application Control (WDAC) and ensure that line-of-business apps are not blocked. Ensure that WDAC functions as expected on your Virtual Machines (VM).Filesystem and logging:TheNTFileCopyChunkAPI was updated and will require internal application testing if directly employed. Test the validity of your parameters and issues relating to directory notification.I cannot claim to have anynostalgia for dial-up internet access (though I do have a certain Pavlovian response to the dial-uphandshake sound). For those who are still using this approach to access the internet, the November update to theTAPIAPI has you in mind. A quick (haha) test is required to ensure you can still connect to the internet via dial-up once you update your system.Windows lifecycle and enforcement updatesThere were no product or security enforcements this cycle. However, we do have the following Microsoft products reaching their respective end of servicing terms:Oct. 8, 2024: Windows 11 Enterprise and Education, Version 21H2, Windows 11 Home and Pro, Version 22H2, Windows 11 IoT Enterprise, Version 21H2.Oct. 9, 2024: Microsoft Project 2024 (LTSC)Mitigations and workaroundsMicrosoft published the following mitigations applicable to this Patch Tuesday.CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we need to take it seriously. Microsoft has offered some mitigation strategies during the update/testing/deployment for most enterprises that include:Remove overly broad enroll or auto-enroll permissions.Remove unused templates from certification authorities.Secure templates that allow you to specify the subject in the request.As most enterprises employ Microsoft Active Directory, we highly recommend a review of thisknowledge note from Microsoft.Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:Browsers (Microsoft IE and Edge);Microsoft Windows (both desktop and server);Microsoft Office;Microsoft Exchange Server;Microsoft Development platforms (ASP.NETCore, .NET Core and Chakra Core);Adobe (if you get this far).BrowsersMicrosoft released a single update specific to Microsoft Edge (CVE-2024-49025), and two updates for the Chromium engine that underpins the browser (CVE-2024-10826andCVE-2024-10827). Theres a brief note on thebrowser update here. We recommend adding these low-profile browser updates to your standard release schedule.WindowsMicrosoft released two (CVE-2024-43625andCVE-2024-43639) patches with a critical rating and another 35 patches rated as important by Microsoft. This month the following key Windows features have been updated:Windows Update Stack (note: installer rollbacks may be an issue);NT OS, Secure Kernel and GDI;Microsoft Hyper-V;Networking, SMB and DNS;Windows Kerberos.Unfortunately, these Windows updates have been publicly disclosed or reported as exploited in the wild, making themzero-day problems:CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege.CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability.Add these Windows updates to yourPatch Nowrelease cadence.Microsoft OfficeMicrosoft pushed out six Microsoft Office updates (all rated important) that affect SharePoint, Word and Excel. None of these reported vulnerabilities involve remote access or preview pane issues and have not been publicly disclosed or exploited in the wild. Add these updates to your standard release schedule.Microsoft SQL (nee Exchange) ServerYou want updates to Microsoft SQL Server? We got em: 31 patches to the SQL Server Native client this month. Thats a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major clean-up effort from Microsoft addressing the following reported security vulnerabilities:CWE-122: Heap-based Buffer OverflowCWE-416: Use After FreeThe vast majority of theseSQL Server Native Clientupdates address theCWE-122related buffer overflow issues. Note: these patches update the SQL Native client, so this is a desktop, not a server, update. Crafting a testing profile for this one is a tough call. No new features have been added, and no high-risk areas have been patched. However, many internal line-of-business applications rely on these SQL client features. We recommend that your core business applications be tested before this SQL update, otherwise add it to your standard release schedule.Boot note: Remember that there is a major revision toCVE-2024-49040 this could affect the SQL Server server side of things.Microsoft development platformsMicrosoft released one critical-rated update (CVE-2024-43498) and three updates rated as important for Microsoft .NET 9 and Visual Studio 2022. These are pretty low-risk security vulnerabilities and very specific to these versions of the development platforms. They should present a reduced testing profile. Add these updates to your standard developer schedule this month.Adobe Reader (and other third-party updates)Microsoft did not publish any Adobe Reader-related updates this month. The companyreleased three non-Microsoft CVEs covering Google Chrome and SSH (CVE-2024-5535). Given the update to Windows Defender (as a result of the SSH issue), Microsoft also published a list of Defendervulnerabilities and weaknessesthat might assist with your deployments.
0 Comentários 0 Compartilhamentos 23 Visualizações