Once a month, near the end of the Patch Tuesday release cycle, the Readiness teams publishes an update on Microsoft related patches, out of band  (OOB) releases and republished CVE vulnerability documentation. This note is intended as a informal brief on recent changes and may reflect a dynamic or rapidly changing situation.

Unfortunately, Microsoft has released new information about an update (CVE-2023-36025) that changes the patch cadence for Windows. This vulnerability in Windows SmartScreen has now been publicly disclosed making this an additional zero-day for Microsoft Windows. Add this update to your “Patch Now” schedule.

For the month of November 2023, this posting will include the following areas:

  • Resolved issues
  • Reported issues
  • Updated CVE entries
  • Scheduled Out-of-band (OOB) releases
  • Links to the Readiness blog

Resolved Issues
The following section describes the latest reported issues with Microsoft updates, their affected platform and their resolution statues/date:

  • KB5031455: The correct default currency might not display or be used in Windows devices which have locale set to Croatia. This can affect applications which retrieve the device’s currency for purchases or other transactions. Microsoft has now published a resolution for this issue.

Reported Issues
We have included a (usually) short list of reported issues with last month’s Patch Tuesday update from Microsoft.  These issues can relate to Microsoft Windows, Office and associated development platforms such .NET and Visual studio:

  • Narrator might not start if installing Windows 11. When using physical media or disc images (ISO) to install Windows 11, version 23H2 (also referred to as the Windows 11 2023 Update) on a device, Microsoft Narrator may not start.

Scheduled Out-of-Band (OOB) Release
There are no scheduled Out-of-Band releases from Microsoft scheduled for the next few weeks – bringing us up to Patch Tuesday. If there are any urgent releases, the best place to check for further information is the Windows Release Health dashboard.
Updated Microsoft CVE Entries
This month several Microsoft CVEs have been published or revised in the Security Update Guide since November 16, 2023. These common vulnerabilities and exposures (CVEs) were recently revised.

  • CVE-2023-36008CVE-2023-36026 and CVE-2023-6112: Microsoft Edge (Chromium-based) Remote Code Execution, Spoofing and User after Free Vulnerability. This is a Chromium update from Microsoft that has been released outside the normal release cadence of the Chromium project and Patch Tuesday. Rated as moderate, this update will be included in the future production releases of Microsoft Edge (Chrome). No further action is required.
  • CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability. This is a critical update to this patch from Microsoft. This vulnerability has now been publicly disclosed and this update should be added to your “Patch Now” schedule.

Readiness Blog Entries for October and November
And for those interested in application packaging, security and the update ecosystem, please have a look at this month’s blog postings from the Readiness team:

If you have a little time, and want to make some money, please submit your name and an application for the Pay to Package offer from Readiness.

Greg Lambert