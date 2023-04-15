



In this April Patch Tuesday, Microsoft addressed 97 existing vulnerabilities and also updated and re-released eight previously released patches. There have been reports of a vulnerability (CVE-2023-28252) being exploited in the wild, resulting in a “Patch Now” release.

This update cycle affects Windows Desktop, Microsoft Office, and Adobe Reader. There are no updates for Microsoft Exchange this month. The Application Readiness team provided a helpful infographic outlining the risks associated with each update for this April update cycle.

known issues

Each month Microsoft posts a list of known issues related to the operating systems and platforms included in this update cycle.

Windows 11 22H2: Windows devices that use some third-party UI customization apps may not boot after installing this update or later updates. Microsoft is currently investigating this issue. Updates released after February 14, 2023 may not be offered to Windows 11, version 22H2 from some Windows Server Update Services (WSUS) servers. Updates are downloaded to the WSUS server, but may not be further propagated to client devices. Microsoft is working on this issue. An update is expected soon.

And for the gaming cowboys out there, it looks like Red Dead Redemption 2 is dead upon arrival, at least with this April update. I know) will have to wait (a little longer) as there are still buffering issues with multi-gigabit network transfers on Microsoft’s latest desktop OS. .

Main revision

This month, Microsoft released several major revisions of previous updates.

CVE-2023-28260: .NET DLL Hijacking Remote Code Execution Vulnerability. This security patch has been updated to support PowerShell 7.2/7.3. CVE-2023-21722, CVE-2023-21808: .NET Framework Denial of Service Vulnerability. Microsoft re-released KB5022498 to ensure that a customer who installed the February Cumulative Update for .NET Framework 4.8 (KB5022502), upgraded to .NET Framework 4.8.1, and then scanned for updates found his Addressed a known issue preventing KB5022498 from being installed. Customers who were unable to install KB5022498 should rescan for updates and install the update. Customers who have already successfully installed KB5022498 do not need to take any further action. CVE-2023-23413, CVE-2023-24867, CVE-2023-24907, CVE-2023-24909: Remote code execution vulnerabilities in Microsoft PostScript and PCL6 class printer drivers. The following changes have been made to the description of this CVE report: 1) Added FAQ to explain how an attacker could exploit this remote code execution vulnerability. 2) Removed FAQ about incorrect CVSS metrics. These are informational changes only. CVE-2023-28303: Windows Snipping Tool Information Disclosure Vulnerability. Added FAQ explaining how to get updates from the Microsoft Store when automatic store updates are disabled. This is an informational change only.Mitigations and Workarounds

Microsoft has published the following vulnerability-related mitigations in this month’s April Patch Tuesday release cycle.

CVE-2023-23397: To mitigate this Microsoft Outlook privilege escalation vulnerability, Microsoft recommends the following: Other way to disable NTLM. The readiness team recommends blocking TCP port 445 (outbound) until an official Microsoft patch resolves this vulnerability.test guidance

Each month, the Readiness team analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on an evaluation of a large application portfolio and a detailed analysis of Microsoft’s patches and their potential impact on the Windows desktop platform and application installation.

Due to the large number of changes included in this April patch cycle, we categorized our test scenarios into standard and high-risk profiles.

Test network connectivity (using web and Teams) using VPN and dial-up (PPPoE and SSTP). Test your Bluetooth connection. As a test, try printing from Bluetooth. Ok, that’s not fun. If you’re testing VPN with IKEv2 and L2TP, make sure your test profile includes a connectivity check. Test sound/audio in an RDP desktop session.high risk

Microsoft has made some significant changes to the functionality of the SQLOLEDB component. SQLOLEDB is a core Microsoft component that handles calls from SQL to OLE APIs. This is not the first time this key data-centric component has been patched by Microsoft, with a major update last September. The Readiness evaluation team strongly recommends an application portfolio scan of all applications (and their dependencies) that contain references to the Microsoft library SQLOLEDB.DLL. Scanning application packages for ODBC references introduces a lot of “noise”, so library dependency checking is preferred in this case. Once done, you should perform a database connection test. (Most importantly) these tests should probably be done via a VPN or an unstable internet connection.

All of these scenarios (both standard and high risk) will require significant application-level testing prior to general deployment of this month’s updates. In addition to the SQL connectivity test requirements, we also recommend the following “smoke” tests for your system:

Test the Windows On-Screen Keyboard (OSK). Test booting a Windows desktop system from a RAM disk. Test the Windows logging system (CLFS) using the create/read/update/delete test (CRUD).

We should also consider the latest updates to Adobe Reader later this month, so please include a print test in your implementation.

Updates by Product Family

Each month, we categorize our update cycles into product families (as defined by Microsoft), with the following basic groupings:

Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange Server Microsoft Development Platforms (ASP.NET Core, .NET Core, Chakra Core) Adobe (obsolete???, maybe next year) browser

Only three updates (CVE-2023-28284, CVE-2023-24935, and CVE-2023-28301) will patch back the Microsoft Edge browser platform in this April patch cycle. All of these are rated low by Microsoft. Additionally, Microsoft has rolled out 14 updates for his Chromium Edge browser, and deployment risks should be minimal. Add these updates to your standard patch release schedule.

If you have the time, here’s a great post from the Chromium project group on how they’re improving performance for all Chromium browsers.

Windows

This April, Microsoft released seven critical updates and 71 patches rated as critical for the Windows platform. These are for the following critical components (Critical Updates):

Microsoft Message Queuing Windows Layer 2 Tunneling Protocol Windows DHCP Server

Unfortunately, there were reports of a vulnerability (CVE-2023-28252) being exploited in the wild this month, adding it to the zero-day count. Add this update to your “Patch Now” release schedule.

microsoft office

There are no significant updates for the Microsoft Office product group this month. Microsoft has provided five updates rated Important to Microsoft Publisher and SharePoint to address spoofing and remote code execution security vulnerabilities. Add these Office updates to your standard release schedule.

Microsoft Exchange Server

April is said to be the cruelest month, but with no updates from Microsoft on the Microsoft Exchange Server product group this month, I’m not sure. This should bring spring to your feet.

Microsoft development platform

Microsoft only released 6 updates for Visual Studio and .NET (6.X/7.x) in this April patch cycle. These patches can be added to the standard developer release schedule to address vulnerabilities with low or high ratings by Microsoft.

Adobe Reader (The cat is back)

There is an update for Adobe Reader in this April update cycle. I thought the Reader update was complete, but the Priority 3 (lowest rated by Adobe) update (APSB 23-24) affected all versions of Adobe Reader and caused some memory Addressing a leak security vulnerability. Add this update to your standard third-party application deployment.

