WWW.COMPUTERWORLD.COM
For Decembers Patch Tuesday, 74 updates and a zero-day fix for Windows
Microsoft released 74 updates in its December Patch Tuesday update, with patches for Windows, Office and Edge but none for Microsoft Exchange Server or SQL server. One zero-day (CVE-2024-49138) affecting how Windows desktops handle error logs requires a Patch Now warning, but the Office, Visual Studio and Edge patches can be added to your standard release schedule. There are also several revisions this month that require attention before deployment, including two (CVE-2023-36435andCVE-2023-38171) that will need extensive testing.TheReadiness teamhas provided thisinfographicoutlining the risks associated with each of the updates this cycle.(More information about the previous six months of Patch Tuesday releases is available here.)Known issuesOther than theRoblox issue, Microsoft has published a reduced set of known issues for December:There have been reports that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. Microsoft has offeredseveral mitigationoptions for those still affected.For those still on Windows Server 2008 you might receive warnings that Windows Update failed to complete successfully. Microsoft is working on this issue and expects a fix to be released soon. Many users will now have to move to the second stage of Extended Support Updates) or ESU.Major revisionsFor the final Patch Tuesday in 2024, there are these revisions to previously released updates:CVE-2023-36435andCVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability. This is the third update to this two-year-old series of patches to the Microsoft .NET platform. Rather than a strictly information update, these patches will need to be added to your December release schedule.CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This is a release for this months update. This does not happen often, as this patch was only released 24 hours ago. (In fact, due to an error in the documentation, this patch was duplicated in the release notes as well.)CVE-2023-44487: HTTP/2 Rapid Reset Attack. The update relates to a change in affected software meaning all recent supported versions of Microsoft .NET and Visual Studio are included in the scope of the patch. Add this to your development update release schedule for the month.CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability. This late edition revision has been widely reported in thenewsas it affects older versions of Windows Server (2008 and 2012) and has received somegenerous technical supportfrom outside Microsoft.This is an unusual month for revisions, with several patches from 2023 updated in the final months of 2024, with increased scopes and associated testing requirements. The Readiness team advises extra caution addressing bothCVE-2023-36435andCVE-2023-38171.Windows lifecycle and enforcement updatesThere were no product or security enforcements for this update cycle. However,Microsoft has noted that:There wont be a non-security preview release for the month of December 2024. There will be a monthly security release for December 2024. Normal monthly servicing for both security and non-security preview releases will resume in January 2025.Each month, we analyze the latest Patch Tuesday updates from Microsoft and provide detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.For this cycle, we have grouped the critical updates and required testing efforts into different functional areas including:Networking and Remote Desktop ServicesThis months update addresses key components of Microsofts Remote Desktop Services with the following testing guidance:Test RDP connections over the Microsoft Remote DesktopGateway.Try RPC over HTTP/HTTPS pathways while validating Remote Desktopbrokerfeatures.Test out DNSsigning keyoperations forRRASenvironments.Validate WAN port operations (trynetshcommands).Local Windows File System and StorageMinor changes to the Windows desktop file system will require a test of the ReFS system (lightCRUDtesting required). Due to changes in how Windows handles non-English characters, a test of Input Method Editors (IMEs) is required for Japanese formats.Virtual Machines and Microsoft Hyper-VA minor update to a key virtualization driver will require some traffic testing andmonitoringfor Microsofts Hyper-V and virtualization platforms.While these recent updates are generally low-profile patches to Windows subsystems, we feel that the primary testing this month should focus on validating remote network traffic. The file system and Hyper-V changes require light testing. The goal for most enterprises is to get these Microsoft updates deployed before change control lock-down arrives.Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:Browsers (Microsoft IE and Edge)Microsoft Windows (both desktop and server)Microsoft OfficeMicrosoft Exchange ServerMicrosoft development platforms (ASP.NETCore, .NET Core and Chakra Core)Adobe (if you get this far)BrowsersThere were just two minor updates for Microsoft Edge this month, withCVE-2024-12053andCVE-2024-49041both rated as important. Add these low-profile changes to your standard release schedule.WindowsThough there is a strong focus on networking, this release also affects the following Windows features:Windows Remote Desktop and related routing serversWindows Kernel and Kernel Mode DriversPrintingMicrosoft Hyper-VMicrosoftLDAPandLSASSWindows Error ReportingUnfortunately, there is a zero-day (CVE-2024-49138) that has been reported as publicly disclosed and exploited in the wild that affects how Windows creates error log files. Add these Windows updates your Patch Now cycle.Microsoft OfficeMicrosoft released nine patches to Office, all rated important. In addition, the companyoffered some additional security measures and mitigations to the platform with the release of the advisoryADV240002, which covers the following areas:Perimeter DefenseNetwork SecurityEndpoint ProtectionApplication SecurityThis months update affects Microsoft Excel, SharePoint and core Microsoft Office libraries. Add these patches to your standard Office release schedule.Microsoft SQL (nee Exchange) ServerThere were no updates for either Microsoft SQL or Exchange server.Microsoft development platformsMicrosoft released a single update to the experimental AI music projectMuzicwithCVE-2024-49063. Well take this as a win with no further updates to Microsoft .NET or Visual Studio.Adobe Reader (and other third-party updates)Adobe has released a completely normal, run-of-the millupdateto both Reader and Acrobat (Adobe Release notes). This is good news. This update has not been included in the Microsoft release cycle, which is as it should be. Adding to the huge, globally shared sense of relief, Adobe has chosen to modify its patching methodology to fall in line with industry best practices. Long-suffering IT admins have had to create (and maintain) process workflow exceptions to handle Adobe updates, usually with complex PowerShell scripts. No longer!Thank you, Adobe; there is no greater gift than a few less things to do (repeatedly).For those readers who have enjoyed delving into the deeper details of all things patching, the Readiness team would like to say, Thank you for the time and attention and we look forward to the New Year.No surprises, right?
0 Σχόλια 0 Μοιράστηκε 39 Views