Patch now to address a Windows zero-day

Microsoft has addressed 97 existing vulnerabilities this April Patch Tuesday, with a further eight previously released patches updated and re-released. There have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, making it a “Patch Now” release.

This update cycle affects Windows desktops, Microsoft Office, and Adobe Reader. No updates for Microsoft Exchange this month. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this April update cycle.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.

• Windows 11 22H2: After installing this or later updates, Windows devices with some third-party UI customization apps might not start up. Microsoft is currently investigating this issue.
• Updates released February 14, 2023 or later might not be offered from some Windows Server Update Services (WSUS) servers to Windows 11, version 22H2. The updates will download to the WSUS server but might not propagate further to client devices. Microsoft is working on this issue. An update is expected soon.

And for those gaming cowboys out there, it appears that Red Dead Redemption 2 is dead on arrival — at least for this April update. For those IT administrators who copy large files on Windows 11 systems (we know who you are), you are just going to have to wait (a little longer), as there is still a buffering problem for multigigabit network transfers on Microsoft’s latest desktop OS.

Major revisions

This month Microsoft has published several major revisions for previous updates including:

• CVE-2023-28260: .NET DLL Hijacking Remote Code Execution Vulnerability. This security patch has been updated to support PowerShell 7.2/7.3.
• CVE-2023-21722, CVE-2023-21808: .NET Framework Denial of Service Vulnerability. Microsoft has re-released KB5022498 to address a known issue where customers who installed the .NET Framework 4.8 February cumulative update (KB5022502), then upgraded to .NET Framework 4.8.1 and subsequently scanned for updates, were unable to install KB5022498. Customers who were unable to install KB5022498 should rescan for updates and install the update. Customers who have already successfully installed KB5022498 do not need to take any further action.
• CVE-2023-23413, CVE-2023-24867, CVE-2023-24907, CVE-2023-24909: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability. The following changes were made to this CVE report’s description: 1) Added FAQ to explain how an attacker could exploit this Remote Code Execution vulnerability. 2) Removed incorrect CVSS metric FAQs. These are informational changes only.
• CVE-2023-28303: Windows Snipping Tool Information Disclosure Vulnerability. Added an FAQ to explain how to get the update from the Microsoft Store if automatic updates for the store are disabled. This is an informational change only.

Mitigations and workarounds

Microsoft has published the following vulnerability related mitigations for this month’s April Patch Tuesday release cycle:

• CVE-2023-23397: To mitigate against this Microsoft Outlook elevation of privilege vulnerability, Microsoft recommends, “Administrators should add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM.” The Readiness team recommends that the TCP port 445 (outbound) is blocked until this vulnerability is addressed by an official Microsoft patch.

Testing guidance

Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows desktop platforms and application installations.

Given the large number of changes included in this April patch cycle, I have broken down the testing scenarios into standard and high-risk profiles.

• Test your network connectivity (use the web and Teams) with a VPN and dial-up (PPPoE and SSTP).
• Test your Bluetooth connections. Just for fun, try printing from Bluetooth. OK, that isn’t funny.
• When testing your VPN and IKEv2 and L2TP, ensure that the testing profile includes a connectivity check.
• Test out sound/audio over RDP desktop sessions.

High risk

Microsoft has made some significant changes to how the SQLOLEDB component functions. SQLOLEDB is a core Microsoft component that handles SQL to OLE API calls. This is not the first time that this key data-focused component has been patched by Microsoft, with a major update just last September. The Assessment team at Readiness highly recommends an application portfolio scan for all applications (and their dependencies) that include references to the Microsoft library SQLOLEDB.DLL. Scanning application packages for ODBC references will raise a lot of “noise” and so the library dependency check is preferred in this instance. Once done, database connectivity tests should be conducted, and we suspect (most importantly) that these tests should be done over a VPN or a less stable internet connection.

All these (both standard and high-risk) scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to the SQL connectivity testing requirements, we also suggest the following “smoke” tests for your systems:

• Test out the Windows on-screen keyboard (OSK).
• Test booting your Windows desktop systems from a RAM disk.
• Test the Windows logging system (CLFS) with a create/read/update/delete test (CRUD).

We also must consider the latest update for Adobe Reader this month, so please include a printing test in your deployment effort.

Updates by product family

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office
• Microsoft Exchange Server
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (retired???, maybe next year)

Browsers

This April patch cycle sees the return of patches to the Microsoft Edge browser platform with just three updates (CVE-2023-28284, CVE-2023-24935, and CVE-2023-28301), all rated as low by Microsoft. In addition, Microsoft has published 14 Chromium Edge browser updates, which should have minimal deployment risks. Add these updates to your standard patch release schedule.

If you have the time, there is a great post from the Chromium project group on how they are improving the performance of all Chromium browsers.

Windows

This April, Microsoft released seven critical updates and 71 patches rated as Important to the Windows platform that cover the following key components (for the critical updates):

• Microsoft Message Queuing
• Windows Layer 2 Tunneling Protocol
• Windows DHCP Server

Unfortunately, this month there have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, adding to our zero-day count. Add this update to your “Patch Now” release schedule.

Microsoft Office

No critical updates for the Microsoft Office product group this month. Microsoft has provided five updates rated as Important to Microsoft Publisher and SharePoint addressing spoofing and remote code execution security vulnerabilities. Add these Office updates to your standard release schedule.

Microsoft Exchange Server

It is said that April is the cruellest month, but I am not so sure, as there are no updates from Microsoft for the Microsoft Exchange Server product group this month. This should put some spring in your step.

Microsoft development platforms

Microsoft has released just six updates to Visual Studio and .NET (6.X/7.x) for this April patch cycle. These patches address vulnerabilities with low or important ratings by Microsoft and therefore can be added to your standard developer release schedule.

Adobe Reader (the cat has come back)

We have Adobe Reader updates for this April update cycle. I really thought that we were done with Reader updates, but here we are with a Priority 3 (the lowest rating from Adobe) update (APSB 23-24) that affects all versions of Adobe Reader and addresses several memory leak security vulnerabilities. Add this update to your standard third-party application deployment effort.