Microsoft released 59 updates in its September Patch Tuesday release, with critical patches for Microsoft Office and Visual Studio, and continued the trend of including non-Microsoft applications in its update cycle. (Notepad++ is a notable addition, with Autodesk returning with a revised bulletin.) We've made "Patch Now" recommendations for Microsoft development platforms (Visual Studio) and Microsoft Word.
Unfortunately, updates for Microsoft Exchange Server have also returned, requiring server reboots this time, too.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle:
- After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. VMWare has published an article (KB90947) on how to resolve the issue.
- New security enhancements in SharePoint Server (2019) might prevent custom .aspx files from being displayed under certain circumstances. Browsing to such a page generates a "92liq" event tag in SharePoint Unified Logging System (ULS) logs.
Microsoft published the following major revisions this month:
- CVE-2023-41303: Use-after-free vulnerability in Autodesk® FBX® SDK 2020. This is an information update (note that this third-party application update does not have an updated release log — naughty Microsoft). No further action required.
- CVE-2023-20569 Return Address Predictor. The affected products table has been updated to include Azure Virtual Machines, as customers who use custom maintenance controls are affected by CVE-2023-20569 and are required to take action to protect their resources.
- CVE-2023-21709, CVE-2023-35368, CVE-2023-35388, CVE-2023-38185, CVE-2023-38181 and CVE-2023-38182: Microsoft Exchange Server Elevation of Privilege Vulnerability. The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.
And it looks as if Microsoft "missed" a CVE last month — CVE-2023-36769 for OneNote, which has now been updated and included in this month's updates.
Mitigations and workarounds
Microsoft published the following vulnerability related mitigations for this release cycle:
- CVE-2023-38162, CVE-2023-38152, CVE-2023-36081: DHCP Server Service Information Disclosure Vulnerability. Microsoft helpfully notes that if you have not enabled DHCP on your servers, you're not exposed to this vulnerability.
- CVE-2023-38148: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. Similarly, if you have not enabled this feature, you're not exposed.
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on Windows and on application installations.
Given the large number of system-level changes in this patch cycle, I have broken down the testing scenarios into standard and high-risk profiles.
Microsoft made a major announcement this month about a significant change to how third-party printer drivers are handled,
"With the release of Windows 10 21H2, Windows offers inbox support for Mopria compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver. This removes the need for print device manufacturers to provide their own installers, drivers, utilities."
With this announcement, Microsoft also published an end to servicing legacy (V3 and V4) Windows printer drivers and offers the following support timeline.
- September 2023: Announce legacy third-party printer driver for Windows end of servicing plan.
- September 2025: No new printer drivers will be published to Windows Update.
- 2026: Printer driver ranking order modified to always prefer Windows IPP inbox class driver.
- 2027: Except for security-related fixes, third-party printer driver updates will no longer be allowed.
The assumption here is that all Windows printing providers will subscribe to the Mopria (an association of printer and scanner manufacturers that produce universal standards and solutions for scan and print) standard. This makes sense and will hopefully reduce the attack surface of printer drivers that have caused so much trouble over the years.
Due to this change in printer handling, the following tests are suggested:
- Test all your printers — with your full production testing regime (sorry about this).
- Enable different advanced printer features (e.g., watermarking) and run printing tests.
- Test your printing over RDP and VPN connections.
- Install/update/uninstall key printing software.
The following changes have not been raised as high risk (of unexpected outcomes) and do not include functional changes.
- Test your security restrictions/sandbox when using Microsoft Intune and Windows Defender Application control (WDAC). Applications should install and uninstall as expected.
- Ensure successful "CRUD" tests complete for your Windows error logs. This should include Create, Read, Update and Delete. Actually, this should read CRUDE — as we need to add “Extend” to this month's log testing regime. (Find the laughs where you can.)
- Test wireless displays on laptops; it's required by an update to the core graphics handling in Windows (GDI.DLL).
There has been a major update to the Windows networking stack, too. This includes changes to how DHCP handles failover relationships. Testing should include the following:
- Conduct ping request/reply tests (for both inside and outside your network).
- Ping major search engines (try Bing?) using both IPv4 and IPv.
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for your line of business applications, getting the application owner (doing UAT) to test and approve the results is still absolutely essential.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe Reader and Others (the new home for 3rd-party applications).
Microsoft did not release any updates for its browsers this month. As a sign of the times, Google Chrome has now “sunsetted” (deprecated in Microsoft terms) support for Windows 7/8/8.1 and Window Server 2012. For Google Chrome Enterprise users, there is now a handy release summary. My feeling is that we will be adding Google Chrome to the third-party update section found at the bottom of this report in the future.
Microsoft released a single critical update for the Windows platforms in this patch cycle (CVE-2023-38148). In addition, 20 patches rated important by Microsoft were released, covering the following Windows functional areas:
- Windows DHCP Server and the TCP/IP networking stack;
- Windows GDI and Kernel;
- Microsoft Windows Codecs Library and Windows Themes;
- Windows Common Log File System Driver.
Though it is a relatively lightweight set of patches for Windows, we highly recommend a network stack test before general deployment. Add these Windows updates to your standard release schedule.
For September, Microsoft did not release any critical updates to the Office platform. Instead, we see seven updates rated important and an additional single update rated moderate (CVE-2023-41764). Unfortunately, this month's zero-day vulnerability includes Microsoft Word (CVE-2023-36761) which has been publicly disclosed and reported as exploited in the wild. Add these Office updates (really just Word) to your "Patch Now" schedule.
Microsoft Exchange Server
Microsoft released five updates for Microsoft Exchange Server, all rated important by Microsoft. Combining both network and adjacent attack vectors, these vulnerabilities could lead to ID spoofing and remote code execution. There have not been any reports of exploits in the wild, nor public disclosures, so please add these to your standard release schedule. Note: this month's patch cycle will require a reboot of your Exchange Server.
Microsoft development platforms
This is a big month for updating the developer platforms. Microsoft released three critical rated patches (CVE-2023-36796, CVE-2023-36793 and CVE-2023-36792) that could lead to serious remote code execution scenarios with the simple click of a single malicious file. Once these critical issues are added to the 12 additional patches to Visual Studio and .NET, we must make an unusual "Patch Now" recommendation for these.
Adobe Reader and Others (the new home for 3rd-party applications)
Following the growing trend of managing third-party application updates, I will now include key applications that require updating each month. This used to focus on Adobe Reader, but for September now includes:
- Notepad++ 8.5.7 released with fixes for four security (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) vulnerabilities.
- Adobe Acrobat, with a serious memory (out-of-bounds) security vulnerability (CVE-2023-26369).
- Google Chrome, with a final update for Server 2012.
- Zscaler, with a File/Directories access issue (CVE-2023-41717) and cryptographic issue (CVE-2023-28801).
We expect more third-party applications to be included in the monthly update process in the future. Monthly patches, monthly application packaging and patching will become the new normal. Having a robust repackaging, testing and deployment process for your entire application portfolio will fast become a top priority.