Addressing four zero-days flaws (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491, and CVE-2024-38217 again), this month’s Patch Tuesday release from Microsoft covers 79 updates for the Windows platform. Notably, there are no updates provided for Microsoft Exchange Server or the company’s development tools like Visual Studio or .NET. Also included are two critical updates and nine important patches for Microsoft Publisher and Microsoft Office, particularly addressing a vulnerability that was recently exploited in Microsoft Publisher.
Significant testing is necessitated this month for patches to Microsoft SQL Server that impacts both server and client components, emphasizing application installations due to adjustments in the Microsoft Installer’s process for managing changes and rollbacks.
The experts at Readiness have developed a helpful infographic that details the risks associated with each of this month’s updates.
Microsoft typically releases a list of known issues associated with the operating systems and platforms affected by each update, including minor issues noted for the month of September:
Due to recent changes to Windows Installer, User Account Control (UAC) no longer prompts for credentials during application installation repairs. Following the update scheduled for September 2024, UAC will resume its normal operation of prompting when necessary. It is important to update your scripts to accommodate this alteration if you have not done so already.
While Microsoft has offered guidance on how to bypass this issue by disabling the feature within UAC, adopting this protocol is advised as it aligns with the latest best practices.
This month, Microsoft rolled out significant updates to its previous security and feature modifications, detailing:
In an unusual move, there is a patch revision this month that extends beyond mere documentation updates. The revision concerns CVE-2024-38063 (Windows TCP/IP Remote Code Execution Vulnerability), marking a critical network patch that demands testing as though it were a fresh update. System administrators are encouraged to approach this patch with utmost seriousness and conduct thorough testing prior to any deployment or redeployment.
Testing guidelines
Each month, the Readiness team examines the latest Patch Tuesday releases and provides comprehensive testing recommendations. These are informed by an extensive application portfolio and meticulous evaluation of the updates and their implications.
For September, we have organized critical updates and the necessary testing requirements into distinct product and operational categories including:
Microsoft issued multiple updates for the Microsoft SQL Server environment that impact both Windows desktops and SQL Server configurations.
Due to the nature of this September SQL Server update, we highly recommend testing the patch itself and the patching process — with a focus on the patch REMOVAL process. We understand that this will require time, skill, and effort — but it will pay off more than a full restore from backup.
Microsoft has prioritized addressing networking and memory handling security issues this month, implementing the following changes to Windows:
Microsoft issued an important update to the MSI Installer (application installer) subsystem which necessitates application-level testing across your software portfolio. This update particularly impacts how shell links are managed within the storage system, potentially causing issues with redirected folders or shortcuts during installation, especially in secure or restricted environments.
We advise ensuring that installations, rollbacks, un-installations, and UAC verifications are thoroughly tested this month. Monitoring for “zero” exit codes in the MSI Installer logs is recommended as a preliminary check.
This section highlights critical updates, major feature deprecations, and security enhancements for Windows desktop and server platforms.
Microsoft has not released any mitigations or workarounds for this update cycle.
We categorize monthly updates by product families (as defined by Microsoft) into basic groupings:
Updates for Microsoft’s Edge browser are no longer aligned with Patch Tuesday schedules. Recent updates to the Chromium-based Edge browser have addressed various reported vulnerabilities:
Once we are done with the Microsoft updates, we can focus on these Chromium patches:
After checking for compatibility or suitability challenges presented by these changes, we have not seen anything in the Edge or Chromium update that could affect most enterprise deployments. Add these browser updates to your standard release schedule.
Windows
Microsoft released two critical rated updates to the Windows platform (CVE-2024-38119 and CVE-2024-43491) and 43 patches rated important. The following Windows features have been updated:
The real concern is that three of these vulnerabilities (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491) have been reported as exploited. Additionally, another vulnerability in the Windows HTML subsystem (CVE-2024-38217) has been reported as publicly disclosed. Given these four zero-days, we recommend that you add these Windows updates to your Patch Now release schedule.
Microsoft addressed two critical vulnerabilities in the SharePoint platform (CVE-2024-38018 and CVE-2024-43464) that will require immediate attention. There are nine other updates rated important that affect Microsoft Office, Publisher, and Visio. Unfortunately, CVE-2024-38226 (which affects Publisher) has been reported as exploited in the wild by Microsoft. If your application portfolio does not include Publisher (many don’t) then add these Microsoft updates to your standard patch release cycle.
This month brings a significantly larger update to the Microsoft SQL Server platform with 15 updates (all) rated as important. There are no reports of public disclosures or active exploits, and these patches cover the following broad vulnerabilities:
Though there will be a significant testing profile this month, affecting both server and desktop systems, we suggest you add these SQL Server patches to your standard release schedule.
No updates have been released for development tools like Microsoft Visual Studio or .NET recently.
This month, the usual update process for Adobe Reader is different. Typically, an update for Adobe Reader is incorporated into Microsoft’s updates for Windows, but not this time.
Adobe Reader has received an update, available at APSB24-70, which is not part of the Microsoft release cycle. The latest update for Adobe Reader patches two critical vulnerabilities related to memory and is essential for inclusion in your regular application update protocol.