Microsoft has eased us into the new new year with just 48 updates for the Windows, Office and .NET platforms. There were no zero-days for January, and no reports of publicly exposed vulnerabilities or exploited security issues.
Developers of complex, line-of-business applications might need to pay particular attention to how Microsoft has updated the Message Queue system. Printing has been patched and minor updates to bluetooth and Windows shell sub-systems (shortcuts and wallpaper) require some testing before deployment.
The team at Readiness has crafted a useful infographic that outlines the risks associated with each of the updates for this January release.
Known issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle.
- Microsoft reported the following error message for all Windows 10/11 desktop platforms: Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment.
Given the importance of emojis in today's computing environment, Microsoft also has an issue with the color scale of certain 3D-like emoticons on all Windows builds. (As I am "color dumb," not sure if I should be 🙂 or 😞.)
Major revisions
So were there major revisions among the January updates? There are two answers. The short answer is there do not appear to be any patches with significant revisions that require administrator attention this month.
The long answer: there may be an issue with the Microsoft update database and how data is presented and deployed. With each update cycle, the Readiness team employs an automated system to parse/process Microsoft updates and their associated manifests and payloads. Our system reported many changes, which after some time proved to be false alarms. (By “large number of changes," we mean several thousand.) We double-checked — it is not us — it is the data. We'll see if the problem persists and update our systems/bulletins accordingly.
Mitigations and workarounds
Microsoft published the following vulnerability related mitigations for this month's release:
- CVE-2024-21320: Windows Themes Spoofing Vulnerability. Microsoft advised that those who have disabled NTLM are not affected by this minor issue. If this vulnerability is a concern for your organization, apply the Restrict NTLM group policy.
Each month, the Readiness team detailed analyses the Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and the patches' potential impact on the Windows platforms and application installations.
The following changes were included in this month's update and have not been raised as either elevated risk (of unexpected outcomes) and do not include functional changes:
- Printing has been updated to prevent a remote code execution scenario. Printer redirection processes/configurations will need a test cycle.
- Bluetooth system files have been updated on all currently supported Windows desktop builds. I have real trouble with Bluetooth testing as I find Bluetooth connectivity flaky at best. This month, test Bluetooth mice, keyboards, and your headsets.
- Base log files (BLF) were a critical component of ransomware attacks throughout 2023 as attackers exploited vulnerabilities in the Windows Error Reporting and Log file system (WER). These (BLF) file types were updated this month, and a Windows Error Log Reporting file test will be required that includes file create, read, update, and delete operations.
- Core components of the Microsoft Group Policy (GPO) administration tools have been updated, so GPO templates will require testing by administrators and more importantly, by delegated non-administrators.
- There's another update to how Windows handles file compression. This time we should still expect to test file extraction, with less focus on file-level compression. We suggest using a command/batch file to run EXTRACT/Extrac32 on at least a few hundred small to mid-size files.
- You will have to include a background image or "Wallpaper" test this month due to an update to Windows Shell. This is an easy one. Can I see my corporate wallpaper when I login? Yes? Happy days!
For developers: Microsoft made a major update on how Message Queuing (MSMQ) works in Windows desktops this month. One sub-component of the MSMQ feature deals with Remote Procedure Calls (RPC) commonly used in distributed applications. To test your distributed, MSMQ, and RPC-driven corporate apps (you know who you are) please ensure that the following component areas are included in your project test and release schedule:
- Message Queue (MSMQ) Services .
- MSMQ Active Directory Domain Services Integration.
- MSMQ Triggers .
- HTTP, Routing Service and Multicasting Support.
- MSMQ DCOM Proxy.
Automated testing will help with these scenarios (especially a testing platform that offers a "delta" or comparison between builds). However, for your line-of-business applications, getting the application owner (doing UAT) to test and approve the results is still essential.
Windows lifecycle update
This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms.
- REMINDER: Home, Pro, Pro Education, and Pro for Workstation editions of Windows 11, version 21H2 reached end of service on Oct. 10, 2023.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange Server.
- Microsoft Development platforms (NET Core, .NET Core and Chakra Core).
- Adobe (or, if you get this far).
Browsers
Microsoft has released four very small updates to the Chromium project:
- CVE-2024-0222: CVE-2024-0222 Use after free in ANGLE.
- CVE-2024-0223: CVE-2024-0223 Heap buffer overflow in ANGLE.
- CVE-2024-0224: CVE-2024-0224 Use after free in WebAudio.
- CVE-2024-0225: CVE-2024-0225 Use after free in WebGPU.
We are pretty lucky, as these are very light-weight updates. Nothing compared to the urgency and difficulty we used to experience with updating Internet Explorer. Add these updates to your standard patch release schedule.
Windows
Microsoft released two critical updates and 38 patches rated important to the Windows platform that cover the following key components:
- Windows Kerberos.
- Windows Hyper-V.
- Windows Error log and reporting.
- Networking and Bluetooth.
- Windows Shell and Active Directory Group Policy objects.
With only two patches (CVE-2024-20674 and CVE-2024-20700) rated critical and no reported zero-days, this is another relatively light month. Our focus for testing and deployment should be on administrator tasks (validating backups, telemetry, and log files) and some of the core internal features employed by developers for business logic driven distributed applications. Add this update to your standard Windows platform release schedule.
Microsoft Office
Microsoft released just two (CVE-2024-20677 and CVE-2024-21318) patches for Office and Microsoft SharePoint. These are low-impact updates that should not affect how Excel or Words handles numbers or formulas. Add these Office updates to your standard release schedule.
Microsoft Exchange Server
As in December, Microsoft did not release any updates for Microsoft Exchange Server. Don't get too comfortable. We think the February update is going to be a big one.
Microsoft development platforms
Microsoft released six updates affecting Microsoft .NET, Visual Studio, and the SQL Client feature. All updates are rated important. The SQL Client update (CVE-2024-0056) will require some attention. Scan your corporate Line of Business (LOB) or internal applications for .NET's System.Data.SqlClient dependencies. Once you have a prioritized application list, please add these updates to your standard developer release schedule.
Adobe Reader (if you get this far)
No updates from Adobe for Reader or Acrobat this month but Microsoft has released a single update to the third party database engine SQLite (CVE-2022-35737). This database engine update should really be included in the developer section, but strictly speaking it's an open source project supported by Microsoft. Given our research on last year's patch and update trends, we are expecting a larger-than-normal update package for February. Automated testing is going to be key, with AI (probably a "PatchGPT'') playing a large role in patch summaries, vulnerability assessments, and testing recommendations.