Microsoft’s latest Patch Tuesday update tackles four critical zero-day vulnerabilities, specifically CVE-2024-38014, CVE-2024-38217, CVE-2024-43491, and CVE-2024-38217. The update comprises 79 patches addressing issues across the Windows ecosystem but did not include updates for Microsoft Exchange Server or its development tools like Visual Studio or .NET. Additionally, two critical and nine important updates were released for Microsoft Office, focusing on a vulnerability in Microsoft Publisher that was recently exploited.
There is an emphasis on extensive testing for this month’s patches for Microsoft SQL Server, impacting both server and desktop components, particularly concerning application installs due to modifications in Microsoft Installer’s handling of changes and installation rollbacks.
The team at Readiness has developed an informative infographic detailing the risks linked to each update.
Microsoft has also released a list of known issues impacting the operating systems and platforms covered under the updates, which included two minor problems in September.
Due to recent changes to Windows Installer, User Account Control (UAC) no longer prompts for credentials during application installation repairs. This behavior will be restored in the update scheduled for September 2024, necessitating updates to your scripts if they have not been adjusted to accommodate these changes.
While Microsoft has provided documentation on how to disable this feature in UAC, it is advised to adapt to this new recommended practice.
This month, Microsoft has released major revisions for previous security and feature updates. Additionally, an unusual patch revision has been included, which is not strictly related to documentation. It pertains to CVE-2024-38063, describing a Windows TCP/IP Remote Code Execution Vulnerability. This critical network patch, though an update to an earlier version, requires thorough testing as if it were entirely new. System administrators should approach this latest patch with caution and perform comprehensive tests before redeploying.
Testing guidelines
Every month, the Readiness team reviews the most recent Patch Tuesday releases and offers specific testing advice which is informed by an extensive application portfolio and a comprehensive review of the patches and their anticipated effects.
For September, we have organized the crucial updates and necessary testing activities into separate product and functional categories including:
Microsoft has issued several updates to the Microsoft SQL Server platform that impact both Windows desktops and SQL Server installations.
Due to the recent updates in SQL Server for September, it’s important to thoroughly test both the patch and the patching process, especially focusing on the removal aspect. Testing is vital because it is preferable to a complete restore from backup.
This month, Microsoft has prioritized security improvements in networking and memory management in Windows updates:
A crucial update was made to the MSI Installer (application installer) subsystem. This update necessitates application installation level testing across your software portfolio. This includes changes to how shell links are processed within the storage subsystem, potentially leading to unexpected behaviors in redirected folders or shortcuts during installation in secure or restricted environments.
It is advised to ensure installations, rollbacks, un-installations, and UAC verifications are examined this month. A key practice is to check for “zero” exit codes in the MSI Installer logs to confirm success.
This section highlights critical updates, notable feature removals, and security implementations across the Windows desktop and server platforms.
This month, no mitigations or workarounds were provided by Microsoft.
We analyze the update cycle monthly by categorizing it into product families (as defined by Microsoft) with primary groupings as follows:
The synchronicity of Microsoft’s Edge browser with Patch Tuesday has ceased; notable updates were made to Microsoft’s Chromium-based browser, addressing the reported vulnerabilities:
Once we are done with the Microsoft updates, we can focus on these Chromium patches:
After checking for compatibility or suitability challenges presented by these changes, we have not seen anything in the Edge or Chromium update that could affect most enterprise deployments. Add these browser updates to your standard release schedule.
Windows
Microsoft released two critical rated updates to the Windows platform (CVE-2024-38119 and CVE-2024-43491) and 43 patches rated important. The following Windows features have been updated:
The main worry revolves around three specific security flaws (CVE-2024-38014, CVE-2024-38217, and CVE-2024-43491) that are currently being exploited. Additionally, another vulnerability (CVE-2024-38217) linked to the Windows HTML subsystem has been disclosed publicly. Considering these vulnerabilities, it is crucially recommended to prioritize these updates in your immediate patching plans.
Microsoft has also remedied two severe issues on its SharePoint platform (CVE-2024-38018 and CVE-2024-43464), which demand urgent attention. Furthermore, there are nine other updates deemed important impacting Microsoft Office, Publisher, and Visio. Notably, CVE-2024-38226, influencing Publisher, has been actively exploited, according to Microsoft. If Publisher is not utilized within your applications, these updates should be included in your regular patching schedule.
This period also presents a substantial update series for Microsoft SQL Server, involving 15 updates, each classified as important. There are no indications of public disclosures or active exploitations concerning these patches, which address various significant vulnerabilities.
Given the extensive testing involved this month, impacting both server and client systems, these SQL Server updates should also be scheduled for standard deployment.
No development tools or features (Microsoft Visual Studio or .NET) have been updated this month.
This month, the update scenario is unusual for Adobe Reader. Typically, an Adobe Reader update is released on Windows platforms through Microsoft. This time, that isn’t the case.
Adobe Reader has received an update APSB24-70, but it was not rolled out via the usual Microsoft release. The latest update for Adobe Reader fixes two critical memory-related security vulnerabilities and should be integrated into your standard application release cycle.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.