By Greg Lambert
Microsoft on Tuesday released 73 updates in its monthly Patch Tuesday release, addressing issues in Microsoft Exchange Server and Adobe and two zero-day flaws being actively exploited in Microsoft Outlook (CVE-2024-21410) and Microsoft Exchange (CVE-2024-21413).
Including the recent reports that the Windows SmartScreen vulnerability (CVE-2024-21351) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. The team at Readiness has provided this detailed infographic outlining the risks associated with each of the updates for this cycle.
Known issues
Microsoft publishes a list of known issues related to the operating system and platforms included each month.
There is a significant issue with the current release of Microsoft Exchange Server, which is detailed below in the Exchange Server section.
Major revisions
We have seen three waves of CVE vulnerability revisions from Microsoft (so far) this month — which in itself is unusual — made all the more so by the volume of updates in such a short time. That said, all the revisions were due to mistakes in the publication process; no additional action is required for the following:
Contrary to current documentation from Microsoft, there are two revisions that do require attention:CVE-2024-21410 and CVE-2024-21413. Both reported vulnerabilities are “Preview Pane” critical updates from Microsoft that affect Microsoft Outlook and Exchange Server. Though the Microsoft Security Response Center (MSRC) says these vulnerabilities are not under active exploitation, there are severalpublished reports of active exploitation.
Note: this is a serious combination of Microsoft Exchange and Outlook security issues.
Mitigations and workarounds
Microsoft published the following vulnerability-related mitigations for this month's release cycle:
We have placed the GPO setting AllowAllTrustedAppToInstall in quotes, as we don’t believe it exists (or the documentation has been removed/deleted). This may be (another) documentation issue.
Each month, the team atReadiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations. For this February release, we have grouped the critical updates and required testing efforts into functional areas, including:
Security
Networking
Developers and development tools
Microsoft Office
Also, this month, Microsoft added a new feature to the Microsoft .NET CORE offering withSignalR. Microsoft explains:
“ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data.”
You can find documentation on getting started with SignalRhere.
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for line-of-business apps, getting the application owner (doingUAT) to test and approve the results is still essential.
Windows lifecycle update
This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers
Microsoft released three minor updates to the Chromium-based Edge (CVE-2024-1283, CVE-2024-1284, and CVE-2024-1059) and updated the following reported vulnerabilities:
All these updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add them to your standard patch release schedule.
Windows
Microsoft released two critical updates (CVE-2024-21357 and CVE-2024-20684) and 41 patches rated as important for Windows that cover the following components:
The real worry this month is the Windows SmartScreen (CVE-2024-21351) update, which has been reportedly exploited in the wild. Due to this rapidly emerging threat, add this update to your Windows “Patch Now” release schedule.
Microsoft Office
Microsoft released a single critical update (CVE-2024-21413) and seven patches rated as important for the Microsoft Office productivity suite. The real concern is older versions of Microsoft Office (2016, in particular). If you are running these older versions, you will need to add these updates to your Patch Now schedule.
All modern versions of Microsoft Office can add these February updates to their standard release schedule.
Microsoft Exchange Server
Microsoft released a single update for Microsoft Exchange server, withCVE-2024-21410 rated critical. This update will require a reboot to the target server(s). In addition, Microsoft offered this advice when patching your servers:
“When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer reports that Extended Protection was configured by the installer, and it displays the following error message: 'Exchange Setup has enabled Extended Protection on all the virtual directories on this machine.'"
Microsoft offers “Extended Protection" as a series of documents andscripts to help secure your Exchange server. In addition, Microsoft published Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 to help with managing the attack service of this serious vulnerability. Add this to your “Patch Now” schedule.
Microsoft development platforms
Microsoft released three updates (CVE-2024-20667, CVE-2024-21386 and CVE-2024-21404) affecting the .NET platform as well as Visual Studio 2022. These updates are expected to have minimal impact on app deployments. Add them to your standard developer release schedule.
Adobe Reader (if you get this far)
Adobe Reader updates are back this month (year) with the release ofAPSB 24-07, a priority three update for both Adobe Reader and Reader DC. Adobe notes that this vulnerability could lead to remote code execution, denial of service, and memory leaks. There are also some documented uninstall issues with Adobe Reader, which might cause deployment headaches. All this is enough to add this Adobe to our “Patch Now” schedule.
