Microsoft released 59 updates in its September Patch Tuesday release, with critical patches for Microsoft Office and Visual Studio, and continued the trend of including non-Microsoft applications in its update cycle. (Notepad++ is a notable addition, with Autodesk returning with a revised bulletin.) We’ve made “Patch Now” recommendations for Microsoft development platforms (Visual Studio) and Microsoft Word.
Unfortunately, updates for Microsoft Exchange Server have also returned, requiring server reboots this time, too.
The team at Readiness has created this infographic outlining the risks associated with each of the September updates.
Known issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle:
After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. VMWare has published an article (KB90947) on how to resolve the issue.
New security enhancements in SharePoint Server (2019) might prevent custom .aspx files from being displayed under certain circumstances. Browsing to such a page generates a “92liq” event tag in SharePoint Unified Logging System (ULS) logs.
Major revisions
Microsoft published the following major revisions this month:
CVE-2023-41303: Use-after-free vulnerability in Autodesk® FBX® SDK 2020. This is an information update (note that this third-party application update does not have an updated release log — naughty Microsoft). No further action required.
CVE-2023-20569 Return Address Predictor. The affected products table has been updated to include Azure Virtual Machines, as customers who use custom maintenance controls are affected by CVE-2023-20569 and are required to take action to protect their resources.
CVE-2023-21709, CVE-2023-35368, CVE-2023-35388, CVE-2023-38185, CVE-2023-38181 and CVE-2023-38182: Microsoft Exchange Server Elevation of Privilege Vulnerability. The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.
And it looks as if Microsoft “missed” a CVE last month — CVE-2023-36769 for OneNote, which has now been updated and included in this month’s updates.
Mitigations and workarounds
Microsoft published the following vulnerability related mitigations for this release cycle:
CVE-2023-38162, CVE-2023-38152, CVE-2023-36081: DHCP Server Service Information Disclosure Vulnerability. Microsoft helpfully notes that if you have not enabled DHCP on your servers, you’re not exposed to this vulnerability.
CVE-2023-38148: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. Similarly, if you have not enabled this feature, you’re not exposed.
Testing guidance
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable…
2023-09-17 12:00:03
Link from www.computerworld.com rnrn