For December’s Patch Tuesday, 74 updates and a zero-day fix for Windows

Microsoft released 74 updates in its December Patch Tuesday update, with patches for Windows, Office and Edge — but none for Microsoft Exchange Server or SQL server. One zero-day (CVE-2024-49138) affecting how Windows desktops handle error logs requires a “Patch Now” warning, but the Office, Visual Studio and Edge patches can be added to your standard release schedule. There are also several revisions this month that require attention before deployment, including two (CVE-2023-36435 and CVE-2023-38171) that will need extensive testing. 

The Readiness team has provided this infographic outlining the risks associated with each of the updates this cycle. (More information about the previous six months of Patch Tuesday releases is available here.)

Known issues 

Other than the Roblox issue, Microsoft has published a reduced set of known issues for December:

There have been reports that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. Microsoft has offered several mitigation options for those still affected.

For those still on Windows Server 2008 you might receive warnings that Windows Update failed to complete successfully. Microsoft is working on this issue and expects a fix to be released soon. Many users will now have to move to the second stage of “Extended Support Updates) or “ESU.”

Major revisions

For the final Patch Tuesday in 2024, there are these revisions to previously released updates:

CVE-2023-36435 and CVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability. This is the third update to this two-year-old series of patches to the Microsoft .NET platform. Rather than a strictly information update, these patches will need to be added to your December release schedule.

CVE-2024-49112 : Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This is a release for this month’s update. This does not happen often, as this patch was only released 24 hours ago. (In fact, due to an error in the documentation, this patch was duplicated in the release notes as well.)

CVE-2023-44487: HTTP/2 Rapid Reset Attack. The update relates to a change in affected software — meaning all recent supported versions of Microsoft .NET and Visual Studio are included in the scope of the patch. Add this to your development update release schedule for the month.

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability. This late edition revision has been widely reported in the news as it affects older versions of Windows Server (2008 and 2012) and has received some generous technical support from outside Microsoft.

This is an unusual month for revisions, with several patches from 2023 updated in the final months of 2024, with increased scopes and associated testing requirements. The Readiness team advises extra caution addressing both CVE-2023-36435 and CVE-2023-38171.

Windows lifecycle and enforcement updates

There were no product or security enforcements for this update cycle. However, Microsoft has noted that:

 “There won’t be a non-security preview release for the month of December 2024. There will be a monthly security release for December 2024. Normal monthly servicing for both security and non-security preview releases will resume in January 2025.”

Each month, we analyze the latest Patch Tuesday updates from Microsoft and provide detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas including:

Networking and Remote Desktop Services

This month’s update addresses key components of Microsoft’s Remote Desktop Services with the following testing guidance:

Test RDP connections over the Microsoft Remote Desktop Gateway.

Try RPC over HTTP/HTTPS pathways while validating Remote Desktop broker features.

Test out DNS signing key operations for RRAS environments.

Validate WAN port operations (try netsh commands).

Local Windows File System and Storage

Minor changes to the Windows desktop file system will require a test of the ReFS system (light CRUD testing required). Due to changes in how Windows handles non-English characters, a test of Input Method Editors (IME’s) is required for Japanese formats. 

Virtual Machines and Microsoft Hyper-V

A minor update to a key virtualization driver will require some traffic testing and monitoring for Microsoft’s Hyper-V and virtualization platforms. While these recent updates are generally low-profile patches to Windows subsystems, we feel that the primary testing this month should focus on validating remote network traffic. The file system and Hyper-V changes require light testing. The goal for most enterprises is to get these Microsoft updates deployed before change control “lock-down” arrives.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange Server 

Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core)

Adobe (if you get this far) 

Browsers 

There were just two minor updates for Microsoft Edge this month, with CVE-2024-12053 and CVE-2024-49041 both rated as important. Add these low-profile changes to your standard release schedule.

Windows 

Though there is a strong focus on networking, this release also affects the following Windows features:

Windows Remote Desktop and related routing servers

Windows Kernel and Kernel Mode Drivers

Printing

Microsoft Hyper-V

Microsoft LDAP and LSASS

Windows Error Reporting

Unfortunately, there is a zero-day (CVE-2024-49138) that has been reported as publicly disclosed and exploited in the wild that affects how Windows creates error log files. Add these Windows updates your Patch Now cycle.

Microsoft Office 

Microsoft released nine patches to Office, all rated important. In addition, the company  offered some additional security measures and mitigations to the platform with the release of the advisory ADV240002, which covers the following areas:

Perimeter Defense

Network Security

Endpoint Protection

Application Security

This month’s update affects Microsoft Excel, SharePoint and core Microsoft Office libraries. Add these patches to your standard Office release schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for either Microsoft SQL or Exchange server.

Microsoft development platforms

Microsoft released a single update to the experimental AI music project Muzic with CVE-2024-49063. We’ll take this as a “win” with no further updates to Microsoft .NET or Visual Studio.

Adobe Reader (and other third-party updates)

Adobe has released a completely normal, run-of-the mill update to both Reader and Acrobat (Adobe Release notes). This is good news. This update has not been included in the Microsoft release cycle, which is as it should be. Adding to the huge, globally shared sense of relief, Adobe has chosen to modify its patching methodology to fall in line with industry best practices. Long-suffering IT admins have had to create (and maintain) “process workflow exceptions” to handle Adobe updates, usually with complex PowerShell scripts. No longer! 

Thank you, Adobe; there is no greater gift than a few less things to do (repeatedly).

For those readers who have enjoyed delving into the deeper details of all things patching, the Readiness team would like to say, “Thank you for the time and attention and we look forward to the New Year.” 

No surprises, right?

Source:: Computer World