Over the past year, we’ve seen Microsoft make radical improvements in its browser stability and significant positive changes to its Windows update communication and telemetry strategies. And this month’s Patch Tuesday release brings with it an incredibly light set of updates — maybe the fewest number of updates I have ever seen.
There are no zero-days, which is a great finish to 2023, though Windows gets three critical updates and Visual Studio will require immediate attention due to several re-releases of past critical application patches.
The team at Readiness has created a helpful infographic to outline the risks associated with each update in this last release of 2023. One note of caution: we have seen several potential updates to older patches (October/November) potentially coming down the release pipeline from Microsoft. It might be worth checking in during the upcoming holiday break to see whether there are any out-of-band patches for the Windows ecosystem.
Each month, Microsoft details the known issues related to the operating system and platforms included in its update cycle.
- Microsoft has raised a reporting-related issue with Microsoft Intune and BitLocker. Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. Microsoft is still working on resolving this issue.
- Windows devices using more than one monitor might experience issues with desktop icons moving unexpectedly between monitors or see other icon alignment issues when attempting to use Copilot in Windows. This was raised last month and it appears Microsoft is still working on the issue.
Though we are not experiencing printer problems with Patch Tuesday as we have in the past, HP Printers are now being displayed on Windows computers, even when HP printers are neither connected nor installed. Symptoms of this can include:
- Some Windows 10 and Windows 11 devices are installing the HP Smart app.
- Printers are renamed as HP printers regardless of their manufacturer. Most are being named as the HP LaserJet M101-M106 model. Printer icons might also be changed.
- Double clicking on a printer displays the on-screen error “No tasks are available for this page.”
Microsoft has confirmed that this is not the result of an HP Printer update and is working on a resolution.
This is an unusual month for Microsoft, as there are normally several “information only” revisions to previous updates. This month, Microsoft has re-published updates for both Microsoft Edge and Microsoft Visual Studio that will require (in the case of Visual Studio, urgent) attention. I have updated these Browser and Development sections accordingly.
Mitigations and workarounds
Following the pattern set this month, Microsoft broke with tradition and has not released any documentation on current vulnerability mitigations or workarounds.
Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
For this end-of-year update, we have not seen any high-risk or significant functionality changes for Windows. However, there have been several changes to core functionality that will require some attention, including:
- Windows Networking: Internet Connection Sharing (ICS), the Windows DHCP IP services provider has been updated. We recommend that you progress the following tests:
- Windows kernel updates. The Windows kernel lies at the very core of the Windows operating system and any changes should be tested with care. That said, the changes implemented this month have a very low surface area and should present themselves with a simple reboot.
- SQL Clients and OLE: The Microsoft SQL clients for both SQL server and OLE have been updated. We recommend running basic SQL commands to fetch/update data from both a local and remote server.
You might not remember Faxing (showing my age here) but Microsoft has made a minor update to a single discrete function call in the MakeCall API function. If you are using automated faxes in your workflows or rely on a FAX server such as FAXPress, then you will need to perform a complete test that includes sending, receiving, and the administration of existing faxes.
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line of business applications, getting the application owner (doing UAT) to test and approve the testing results is still absolutely essential.
Windows lifecycle update
This section includes important changes to servicing (and most security updates) to Windows desktop and server platforms. There are no major changes or end of support notices for the Windows or Office platforms this month. However, Microsoft has published the end of community support for PHP 8.0. For those affected, Microsoft offers a few steps to assist with updating applications.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange Server.
- Microsoft Development platforms (NET Core, .NET Core and Chakra Core).
- Adobe (retired???, maybe next year).
The major changes included with this December browser update lie within the Chrome browser components including:
- CVE-2023-6508, CVE-2023-6509 and CVE-2023-6510: Use after free error in Browser Media Stream.
- CVE-2023-6511 and CVE-2023-6512: Inappropriate implementation in Autofill and the Web Browser UI.
These revisions are relatively minor and should not pose a compatibility problem; add these updates to your standard browser patch release schedule.
This month, Microsoft released three critical updates and 22 patches rated important to the Windows platform that cover the following key components:
- Windows Networking, ICS, DHCP and DNS;
- Windows Kernel and Win32K drivers;
- Windows Telephony Server (a single API update);
- Microsoft Bluetooth drivers.
Your testing and deployment focus should be on ensuring that target systems are working as expected with this month’s networking updates. Whenever Microsoft updates the Kernel (far too often), care must be taken with external devices that rely on system level drivers. A good couple of reboots this month should do the trick.
Add this Windows update to your standard release schedule.
Microsoft released three relatively minor updates to Microsoft Word. These patches address lowe- risk vulnerabilities, have a low testing profile, and are rated as important. Add these Office updates to your standard release schedule.
Microsoft Exchange Server
Lucky for us — and for those working over the Christmas break — there are no Microsoft Exchange Server updates.
Microsoft development platforms
There were no new development platforms (.NET or Microsoft Visual Studio) updates from Microsoft this month. But there are several critical updates that have been revised outside of the Patch Tuesday calendar including: CVE-2023-36792, CVE-2023-36793, CVE-2023-36794 and CVE-2023-36796.
All of these reported CVE entries relate to a cluster of Visual Studio remote code execution vulnerabilities. Microsoft is rereleasing KB5029365 to address the following known issue: Customers who are using Microsoft Visual Studio 2013 Update 5 might receive a “C2471” error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches.
These re-releases of these four Visual Studio updates (from September) are rated critical by Microsoft and will need to be added to your “Patch Now” release schedule.
Adobe Reader (still here, but just not this month)
There were no updates from Adobe for Reader or Acrobat this month. And no updates to third-party applications such WinRAR nor deprecations to major system components. Now that we have a bit of time left in the year, we can start talking about the potential compatibility issues in Windows 23H2.
For Patch Tuesday Debugged, that’s a wrap for 2023. It’s been a pleasure and a privilege to help with Patch Tuesday testing and deployment challenges over the past year. I can’t wait to see what 2024 will bring us.