Microsoft this week pushed out 61 Patch Tuesday updates with no reports of public disclosures or other zero-days affecting the larger ecosystem (Windows, Office, .NET). Though there are three updated packages from February, they’re just informational changes with no further action is required.
The team at Readiness has crafted this helpful infographic outlining the risks associated with each of the March updates.
Known issues
Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle; for March, there are two minor issues reported:
- Windows devices using more than one monitor might experience issues with desktop icons moving unexpectedly between monitors or see other icon alignment issues when attempting to use Copilot in Windows. Microsoft is still working on the issue.
- For Exchange Server, Microsoft published an advisory note: after you install the latest security update there is no longer support for the Oracle OutsideIn Technology (OIT) or OutsideInModule. For more information, see this service update.
February was not a great month for how Microsoft communicated updates and revisions. With March being an exceptionally light month for reported “known issues” for desktop and server platforms, our team found no documentation issues. Good job Microsoft!
Major revisions
This month, Microsoft published the following major revisions to past security and feature updates including:
- CVE-2024-2173, CVE-2024-2174, and CVE-2024-2176: Chromium: CVE-2024-2173 Out of bounds memory access in V8. These updates relate to recent security patches for the Chromium browser project at Microsoft. No further action required.
Mitigations and workarounds
Microsoft released these vulnerability-related mitigations for this month’s release cycle:
- CVE-2023-28746 Register File Data Sampling (RFDS). We are not certain how to categorize this update from Intel, as it relates to a hardware issue with certain Intel chipsets. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows update enables this third-party firmware-based mitigation. More information can be found here.
Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.
For this March cycle, we have grouped the critical updates and required testing efforts into different functional areas including:
Microsoft Office
- Visio will need to be tested for larger drawings. (CAD drawings are good candidates.)
- Microsoft SharePoint will require testing for the upload of files larger than 1GB.
- Excel will need a test of OLE embedded objects and all linked datasheet macros.
Microsoft .NET and Developer Tools
- PowerShell: The Get-StorageDiagnosticInfo has been updated, so check your DACL (Discretionary Access Control List) for the correct “resultant” settings (e.g. has the correct owner).
Windows
The following core Microsoft features have been updated, including:
- SQL OLE and ODBC: These updates will require a full test cycle of database (DB) connections, SQL commands. We advise running basic SQL commands and trying different SQL servers.
- Hyper-V: Test that virtual machines (VMs) start, shut down, pause, resume, and then turn off the machine.
- Printing: Both Version 4 (V4) and V3 printer connections will require basic testing
- Telephony and FAX: Microsoft TAPI APIs have been updated, so remember to test your FAXPress servers
- USB Drivers: A basic test of USB devices will be required with a “plug in, copy from and to the USB and detach” cycle.
- Compressed files: a minor update will require basic testing of .7z, far, tar, tar.gz files.
One of the key updates to the Windows file system this month is a change to how NTFS handles composite image files; Microsoft describes them as ”a small collection of flat files that include one or more data and metadata region files, one or more object ID files and one or more file system description files. As a result of their “flatness” CIMs are faster to construct, extract and delete than the equivalent raw directories they contain.”
Basic tests for this update should include creating, mounting, and browsing CIM objects.
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line of business applications, getting the application owner (doing UAT) to test and approve the results is still absolutely essential.
This month, Microsoft made a major (general) update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio.
Windows lifecycle update
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.
- Windows 10 21H2 will lose active support in 3 months (June 2024).
- Microsoft .NET Version 7 support ends in 2 months (May 2024).
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft Development platforms (NET Core, .NET Core and Chakra Core);
- Adobe (if you get this far).
Browsers
Microsoft has released three minor updates to the Chromium based browser (Edge) project this month (CVE-2024-1283, CVE-2024-1284 and CVE-2024-1059) with the following reported vulnerabilities:
- CVE-2024-1060 : Chromium: CVE-2024-1060 Use after free in Canvas.
- CVE-2024-1077 : Chromium: CVE-2024-1077 Use after free in Network.
- CVE-2024-21399 : Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.
In addition to these standard releases, Microsoft issued these “late” additions with its monthly browser update:
- CVE-2024-26163 : Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2024-26167: Microsoft Edge for Android Spoofing Vulnerability
- CVE-2024-26246: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
All these updates should have negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule.
Windows
In February, Microsoft released (another) two critical updates (CVE-2024-21407 and CVE-2024-21408) and 39 patches rated as important to the Windows platform that cover the following key components:
- Windows SQL and OLE DB Provider
- Windows Hyper-V
- Windows Kernel
This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild, and if you are on a modern Windows 10/11, all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule.
Microsoft Office
Following a recent trend, Microsoft released only three updates to the Microsoft Office platform for March (CVE-2024-21448, CVE-2024-21426 and CVE-2024-26199). All three patches have low potential for exploitability and should be added to your regular Office update schedule.
Microsoft Exchange Server
Microsoft has (again) released a single update for Exchange Server with CVE-2024-26198. This update only affects Exchange Server 2016 and 2019; Microsoft describes the vulnerability as, “an attack that requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.”
Microsoft rates this update as important and there are no reports of public disclosure or exploits. Add it to your regular server update schedule. For Exchange Server admins, we believe that each updated server will require a reboot.
Microsoft development platforms
Microsoft released three updates (CVE-2024-26190, CVE-2024-26165 and CVE-2024-21392 to .NET (Versions 7 and 8) and Microsoft Visual Studio 2022. All three updates are low-impact and can be included in regular developer patch release efforts.
Adobe Reader (if you get this far)
No Adobe updates this month. Other than the Intel firmware update (CVE-2023-28746), we do not have any third-party vendors/ISVs to add to this month’s update schedule.