This month, Microsoft has released 103 updates to Windows, Edge, Microsoft Office, and Exchange Server. This update also includes minor updates to Visual Studio. Three zero-days (CVE-2023-44487, CVE-2023-36563 and CVE-2023-41763) require “Patch Now” updates for both Windows and the Edge browser for this October update cycle.
Microsoft has also updated its patch release and notification system with support for RSS feeds and has published its latest Digital Defense Report for this year. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this October update cycle.
Known issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.
Microsoft Server 2022: After installing this month’s update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Microsoft and VMware are both investigating this issue, but there is no published resolution at the time of writing.
Major revisions
Microsoft has published one major revision this month:
CVE-2023-36794: In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3, as these versions of Visual Studio are also affected by the vulnerability. No further action is required.
Mitigations and workarounds
Microsoft has published the following vulnerability related mitigations for this month’s Patch Tuesday release cycle:
There are 15 Microsoft Message Queue updates this month, each with a published mitigation from Microsoft that notes, “if the Message Queuing service is enabled and listening on port 1801, then your system is vulnerable.”
Microsoft offers some limited advice on OLE related vulnerabilities (e.g., CVE-2023-36730) this month with advice to only connect to trusted servers.
Some may question the efficacy of these proffered mitigations.
Testing guidance
Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
One of the hardest areas on the Windows platform (both desktop and server) to update is the Windows Kernel subsystem. This core subsystem manages security, access to low-level services, drivers, and the Hardware Abstraction Layer (HAL). Given its importance, the Kernel layer is key to delivering most services and applications on Windows. Changing this core system generally translates to a high-risk of a component, service, or application not behaving as expected. Thus, testing is key and also very difficult to do right.
This month Microsoft has updated both the Kernel and GDI subsystems at a core…
2023-10-13 16:24:03
Original from www.computerworld.com rnrn