By Greg Lambert
Microsoft this week pushed out 61 Patch Tuesday updates with no reports of public disclosures or other zero-days affecting the larger ecosystem (Windows, Office, .NET). Though there are three updated packages from February, they're just informational changes with no further action is required.
The team at Readiness has crafted this helpful infographic outlining the risks associated with each of the March updates.
Known issues
Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle; for March, there are two minor issues reported:
February was not a great month for how Microsoft communicated updates and revisions. With March being an exceptionally light month for reported “known issues” for desktop and server platforms, our team found no documentation issues. Good job Microsoft!
Major revisions
This month, Microsoft published the following major revisions to past security and feature updates including:
Mitigations and workarounds
Microsoft released these vulnerability-related mitigations for this month's release cycle:
Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.
For this March cycle, we have grouped the critical updates and required testing efforts into different functional areas including:
Microsoft Office
Microsoft .NET and Developer Tools
Windows
The following core Microsoft features have been updated, including:
One of the key updates to the Windows file system this month is a change to how NTFS handles composite image files; Microsoft describes them as ”a small collection of flat files that include one or more data and metadata region files, one or more object ID files and one or more file system description files. As a result of their "flatness" CIMs are faster to construct, extract and delete than the equivalent raw directories they contain."
Basic tests for this update should include creating, mounting, and browsing CIM objects.
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for line of business applications, getting the application owner (doingUAT) to test and approve the results is still absolutely essential.
This month, Microsoft made a major (general) update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio.
Windows lifecycle update
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers
Microsoft has released three minor updates to the Chromium based browser (Edge) project this month (CVE-2024-1283, CVE-2024-1284 and CVE-2024-1059) with the following reported vulnerabilities:
In addition to these standard releases, Microsoft issued these “late” additions with its monthly browser update:
All these updates should have negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule.
Windows
In February, Microsoft released (another) two critical updates (CVE-2024-21407 and CVE-2024-21408) and 39 patches rated as important to the Windows platform that cover the following key components:
This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild, and if you are on a modern Windows 10/11, all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule.
Microsoft Office
Following a recent trend, Microsoft released only three updates to the Microsoft Office platform for March (CVE-2024-21448, CVE-2024-21426 and CVE-2024-26199). All three patches have low potential for exploitability and should be added to your regular Office update schedule.
Microsoft Exchange Server
Microsoft has (again) released a single update for Exchange Server with CVE-2024-26198. This update only affects Exchange Server 2016 and 2019; Microsoft describes the vulnerability as, “an attack that requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.”
Microsoft rates this update as important and there are no reports of public disclosure or exploits. Add it to your regular server update schedule. For Exchange Server admins, we believe that each updated server will require a reboot.
Microsoft development platforms
Microsoft released three updates (CVE-2024-26190, CVE-2024-26165 and CVE-2024-21392 to .NET (Versions 7 and 8) and Microsoft Visual Studio 2022. All three updates are low-impact and can be included in regular developer patch release efforts.
Adobe Reader (if you get this far)
No Adobe updates this month. Other than the Intel firmware update (CVE-2023-28746), we do not have any third-party vendors/ISVs to add to this month's update schedule.
