This is my 211th Patch Tuesday in a role where I’m performing a complete analysis of the released Microsoft patches. It’s amusing to me to see what has changed and what has stayed the same. We still see things like Windows Kernel, Windows GDI, and .NET on the list of patches, but 211 Patch Tuesdays ago, no one would have expected patches for Azure services. 211 Patch Tuesdays ago, nobody would have expected to see Linux patches included in Microsoft content. Today, however, these are the norm and it means that much more effort must be put in by administrators and operations teams. At the time, you had to deal with patches for your Microsoft software. Shortly after that, Adobe joined Microsoft on the Patch Tuesday cadence and you had to update your Adobe software. Now, it’s not just your Windows sysadmin that cares about Patch Tuesday – your CloudOps engineers, Linux admins, and Mac admins all need to pay attention as well. The mental load of breaking down what you and your organization need to do has greatly increased, while the information provided has been streamlined. Unfortunately, while Microsoft has streamlined that content over the past 6 years, they’ve also diluted it and bits and pieces of information slipped away. With more tooling and better automation, there is still an added complexity to Patch Tuesday that didn’t exist when I first started analyzing the patches. This is why administrators and operations teams need to look to their vendors, their cybersecurity allies, to assist them with breaking down the work and effort required to fully secure their environments.
One recent change that I’ve noticed with Microsoft is that they are distinguishing between Microsoft CVEs and non-Microsoft CVEs. This month, there are 59 Microsoft CVEs and 7 non-Microsoft CVEs and you’ll see a lot of write-ups indicate that there are “59 vulnerabilities this month.” This is incorrect. There are 66 vulnerabilities this month but Microsoft is distinguishing between code they develop and code that they consume and redistribute. There is no difference to the end user and it is important that everyone ensure they understand exactly how many vulnerabilities they are dealing with today.
This month, there are two vulnerabilities listed as ‘Exploit Detected.’ CVE-2023-36761 is an information disclosure vulnerability in Microsoft Word that could lead to the disclosure of NTLM hashes. Given the risks associated with NTLM hash exposure and the fact that this has been disclosed publicly, I would want to patch this vulnerability as quickly as possible. I wouldn’t be surprised if we see a spike in malicious Word documents in the near future. The second vulnerability, CVE-2023-36802, impacts the Microsoft Streaming Service Proxy. Essentially, this is a Windows patch. Given that exploitation has been detected, I would also put this at the top of my list when applying patches.
In addition to Microsoft’s patch drop, Adobe has also released updates today including APSB23-34, which fixes CVE-2023-26369, which has seen active exploitation recently. For a while, Adobe and Microsoft updates were commonly announced together, but these days I find that Adobe security announcements don’t seem to be communicated as broadly.
One thing that interests me is that there’s some level of mental load involved in tracking all of the vulnerabilities that were resolved today. It is no longer a matter of applying patches and maybe changing a registry key. Some of the updates have already been released, some involve a manual process, others are just informational because the update process is automated.
For example, CVE-2023-38163, a vulnerability impacting Windows Defender, did not impact the malware protection engine as is usually the case, instead the definition updates were impacted and you simply need to ensure that you are on the latest version of the signatures.
Another example is CVE-2023-36736, which impacts the Microsoft Identity Linux Broker, a component of Azure AD, which has updates available for Ubuntu via ‘apt upgrade’.
While not the vulnerabilities with the highest rating today, these types of vulnerabilities require a bit more thought and planning than simply pushing updates with WSUS or hitting the Windows Update button.
With Microsoft truly becoming a cross-platform vendor, it is critical that Windows, Linux, and Mac system administrators as well as CloudOps and DevOps engineers all coordinate to tackle the Patch Tuesday workload these days. With a vulnerability that impacts a cloud service’s local components, it is important to know who the business owner is and who is ultimately responsible for ensuring that all updates are applied as soon as possible and as completely as possible.
As Microsoft has shifted over the years from Security Bulletins to MSRC Security Guidance, there have been a lot of vocal opponents, myself included, to the shift in information availability. One positive change, however, was the inclusion of the MSRC CVRF API. This API has become critical to numerous organizational workflows. Major vendors like Microsoft providing these types of tools to the security community ensures that communication failures or misinformation do not result in dangerous lapses in an organization’s security posture. This month, Microsoft’s API was delayed in updating without any communication regarding the delays. Thankfully, the delay was minimal, but it emphasizes the importance of a strong line of communication with data consumers.
Click here for more Patch Tuesday analysis.