Microsoft's September Patch Tuesday release has arrived with a substantial number of updates, including critical patches for Microsoft Office, Visual Studio, and some notable changes in how third-party printer drivers are handled. In this blog post, we will delve into the key highlights of this month's release, known issues, major revisions, mitigations, testing guidance, and a breakdown of product families.

Known Issues

After installing the update on guest virtual machines running Windows Server 2022 on certain versions of VMware ESXi, Windows Server 2022 might fail to start up. This issue can disrupt virtualized server environments, and VMware has provided a detailed article (KB90947) on how to resolve it.

New security enhancements in SharePoint Server (2019) may prevent custom .aspx files from being displayed under specific circumstances. This issue is observed as a "92liq" event tag in SharePoint Unified Logging System (ULS) logs, impacting SharePoint-based customizations.

Major Revisions

CVE-2023-41303: A use-after-free vulnerability in Autodesk® FBX® SDK 2020 has been addressed. This update is considered informational and does not have an updated release log from the third-party vendor, Autodesk. However, Microsoft recommends no further action for this issue.

CVE-2023-20569: The Return Address Predictor vulnerability has been expanded to include Azure Virtual Machines. This impacts customers who use custom maintenance controls, and they are advised to take action to protect their resources.

CVE-2023-21709, CVE-2023-35368, CVE-2023-35388, CVE-2023-38185, CVE-2023-38181, and CVE-2023-38182: Vulnerabilities in Microsoft Exchange Server that could lead to elevation of privilege have been addressed. The known issue affecting the non-English August updates of Exchange Server has been resolved, and Microsoft recommends installing the updated packages promptly.

CVE-2023-36769: A previously missed CVE for OneNote (CVE-2023-36769) has been included in this month's updates, highlighting the importance of thorough patching.

Mitigations and Workarounds

Microsoft has provided mitigations for specific vulnerabilities, including CVE-2023-38162, CVE-2023-38152, and CVE-2023-36081, which pertain to the DHCP Server Service Information Disclosure Vulnerability. It's noted that if you haven't enabled DHCP on your servers, you're not exposed to this particular vulnerability.

CVE-2023-38148: For the Internet Connection Sharing (ICS) Remote Code Execution Vulnerability, if you haven't enabled this feature, you are not exposed to the vulnerability.

Testing Guidance

Testing is crucial, especially due to significant changes in this patch cycle. Testing scenarios are divided into standard and high-risk profiles:

High Risk:

Printer Testing: Comprehensive testing of all printers is recommended, considering the major changes in how third-party printer drivers are handled.

Advanced Printer Features: Test advanced printer features such as watermarking and other customization options.

Printing Across Connections: Perform printing tests over RDP and VPN connections to ensure seamless functionality.

Software Management: Test the installation, updating, and uninstallation of key printing software.

Standard Risk:

Security Configuration Testing: Test your security restrictions/sandbox when using Microsoft Intune and Windows Defender Application Control (WDAC). Applications should install and uninstall as expected.

Windows Error Logs: Ensure successful "CRUD" tests complete for Windows error logs. This should include Create, Read, Update, Delete, and Extend operations.

Wireless Display Testing: Test wireless displays on laptops, as it is required by an update to the core graphics handling in Windows (GDI.DLL).

Networking Stack Testing: Major updates have been made to the Windows networking stack, including changes to how DHCP handles failover relationships. Testing should include ping request/reply tests both inside and outside your network.

Automated testing is highly beneficial for these scenarios, especially when a testing platform offers a "delta" or comparison between builds. However, for your line-of-business applications, involving the application owner in User Acceptance Testing (UAT) to test and approve results remains essential.

Product Family Breakdown

Browsers:

Microsoft did not release updates for its browsers this month. Google Chrome has deprecated support for older Windows versions, indicating a shift in the industry.

Windows:

One critical update and 20 important updates for various Windows components were released. Given the network stack changes, it's highly advisable to conduct network stack testing before general deployment.

Microsoft Office:

No critical updates for Office, but seven important updates and one moderate update were released. A zero-day vulnerability in Microsoft Word (CVE-2023-36761) has been publicly disclosed and reported as exploited in the wild, necessitating immediate patching.

Microsoft Exchange Server:

Five important updates for Microsoft Exchange Server were released. A server reboot will be required as part of this month's patch cycle.

Microsoft Development Platforms:

Three critical-rated patches and 12 additional patches for Visual Studio and .NET were released. A "Patch Now" recommendation is made for these updates due to their potential to lead to serious remote code execution scenarios.

Third-Party Applications:

Notable third-party applications requiring updates include Notepad++, Adobe Acrobat, Google Chrome, and Zscaler. This underlines the growing trend of managing third-party application updates as a critical security measure.

Top Q&A

Which critical update should we prioritize this month?

For critical updates, prioritize the patches for Microsoft development platforms, particularly CVE-2023-36796, CVE-2023-36793, and CVE-2023-36792, as they can lead to serious remote code execution.

Are there any known issues with this month's updates?

Yes, there are known issues, including problems with Windows Server 2022 on VMware ESXi and display issues with SharePoint Server 2019 under specific circumstances. Make sure to review the details and follow recommended solutions.

What changes are happening with third-party printer drivers?

Microsoft is phasing out legacy third-party printer drivers, offering support for Mopria-compliant printer devices over network and USB interfaces. This change will affect printer driver availability starting from September 2023.

Are there any notable third-party application updates this month?

Yes, Notepad++, Adobe Acrobat, Google Chrome, and Zscaler have important updates addressing various security vulnerabilities. Stay vigilant and keep these applications up-to-date.

How can I ensure the security of my systems in light of these updates?

Stay proactive by following the recommended testing guidance, prioritizing critical updates, and regularly patching both Microsoft and third-party applications. Security is an ongoing process, so make it a routine part of your IT strategy.

Remember, staying informed and vigilant is crucial in maintaining a secure and efficient IT environment. Keep an eye on future updates and adapt your patching and testing processes accordingly to stay protected.

Understanding Key Terms and Acronyms:

In the world of software updates and security, several important terms and acronyms are frequently used. Let's take a closer look at some of the key terms and what they stand for:

CVE: CVE stands for Common Vulnerabilities and Exposures. It is a standardized system for identifying and naming security vulnerabilities in software and hardware. Each CVE entry is assigned a unique identifier, making it easier for security professionals and organizations to track and address vulnerabilities.

VMware ESXi: VMware ESXi is a type-1 hypervisor that serves as the foundation for virtualized environments. It allows multiple virtual machines (VMs) to run on a single physical server. ESXi stands for Elastic Sky X Integrated.

ULS Logs: ULS stands for Unified Logging System. In the context of SharePoint Server, ULS logs are detailed records of events and activities occurring within the SharePoint environment. These logs are valuable for troubleshooting and monitoring SharePoint-based systems.

DHCP: DHCP stands for Dynamic Host Configuration Protocol. It is a network protocol used to automatically assign IP addresses and other network configuration settings to devices in a TCP/IP network. DHCP simplifies network administration by eliminating the need for manual IP address assignments.

RDP: RDP stands for Remote Desktop Protocol. It is a proprietary protocol developed by Microsoft that allows users to connect to and control remote computers over a network connection. RDP is commonly used for remote desktop access and administration.

VPN: VPN stands for Virtual Private Network. It is a technology that establishes a secure, encrypted connection (tunnel) over a public network, such as the internet. VPNs are used to ensure privacy and security when transmitting data between remote locations or devices.

ASP.NET Core: ASP.NET Core is an open-source, cross-platform web framework developed by Microsoft. It is used for building modern, high-performance web applications and services. ASP.NET stands for Active Server Pages .NET.

.NET Core: .NET Core is an open-source, cross-platform framework for building applications that can run on Windows, Linux, and macOS. It is a part of the larger .NET ecosystem, and it offers flexibility in developing various types of applications.

GDI.DLL: GDI.DLL refers to the Graphics Device Interface Dynamic Link Library. It is a component of the Microsoft Windows operating system responsible for rendering graphical elements on the screen. Changes to this library can impact graphics handling in Windows.

Mopria: Mopria is an alliance of printer and scanner manufacturers that promotes standards and solutions for universal printing and scanning. In the context mentioned in the blog, Mopria compliance simplifies printer driver management in Windows.

CRUD: CRUD is an acronym representing the four basic database operations: Create, Read, Update, and Delete. In the testing context, it ensures that applications can perform these essential operations on data.

WDAC: WDAC stands for Windows Defender Application Control. It is a security feature in Windows that helps protect against malware and unauthorized software by controlling which applications are allowed to run on a system.