Analyse Patch Tuesday - mai

Patch Tuesday Webinar
jeudi, 11 mai 2023
Présenté par Elise Dupont et Olivier Frelastre

Agenda
May 2023 Patch Tuesday Overview
In the News
Bulletins and Releases
Between Patch Tuesdays
Q & A

Copyright © 2023 Ivanti. All rights reserved.
May Patch Tuesday 2023
The CISA KEV database is now up to 925 and at the rate it is increasing it will likely turn over the 1k
mark around late August this year. Apple has released a new capability called Rapid Security
Responses to respond faster to security vulnerabilities, security improvements, and mitigations.
Microsoft's Patch Tuesday release is one of the smallest we have seen in a while, but does include a
few new Known Exploited vulnerabilities and a Public Disclosure. Fortunately, the Windows OS update
this month will take care of most of that risk in one shot.

In the News
 Apple Announces Rapid Security Response
 Available for iOS, iPadOS, and macOS
 https://support.apple.com/en-gb/HT201224
 https://nakedsecurity.sophos.com/2023/05/01/apple-delivers-first-ever-rapid-
security-response-cyberattack-patch-leaves-some-users-confused/
 Subscribe to Windows Known Issues Email Alerts
 Issues documented in the Windows release health section of the Microsoft 365
admin center
 https://techcommunity.microsoft.com/t5/windows-it-pro-blog/new-feature-sign-
up-for-windows-known-issue-email-alerts/ba-p/3811111
 .Net 4.8.1 Coming Soon!
 https://devblogs.microsoft.com/dotnet/upcoming-availability-of-net-framework-
4-8-1-on-windows-update-and-catalog/

Known Exploited and Publicly Disclosed Vulnerability
 CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability
 CVSS 3.1 Scores: 6.7 / 6.2
 Severity: Important
 All currently supported operating systems
 The security update addresses the vulnerability by updating the Windows Boot Manager, but
is not enabled by default. Additional steps are required at this time to mitigate the
vulnerability. Please refer to the following for steps to determine impact on your
environment: KB5025885: How to manage the Windows Boot Manager revocations for
Secure Boot changes associated with CVE-2023-24932.
 https://krebsonsecurity.com/2023/05/microsoft-patch-tuesday-may-2023-edition/
 https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-
attacks-using-cve-2022-21894-the-blacklotus-campaign/

Ensure you have tested as there is no turning back!

Known Exploited Vulnerability
 CVE-2023-29336 Win32k Elevation of Privilege Vulnerability
 CVSS 3.1 Scores: 7.8 / 6.8
 Server 2008/2008 R2, Server 2012/2012 R2, Windows 10, Windows 10 1607, and Server
2016
 Per Microsoft - “An attacker who successfully exploited this vulnerability could gain SYSTEM
privileges.”

Known Exploited and Publicly Disclosed Vulnerability
 CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
 This CVE has been updated and re-issued to address Windows 10 and 11
 CVSS 3.1 Scores: 7.4 / 6.4
 Per Microsoft - “In the Executive Summary, corrected information about Windows 10 and
Windows 11 to state that the supporting code for this reg key was incorporated at the time of
release for Windows 10 and Windows 11, so no security update is required; however, the reg
key must be set. This is an informational change only.”

Known Publicly Disclosed Vulnerability
 CVE-2023-29325 Windows OLE Remote Code Execution Vulnerability
 CVSS 3.1 Scores: 8.1 / 7.3
 Severity: Critical
 Per Microsoft - “Exploitation of the vulnerability might involve either a victim opening a
specially crafted email with an affected version of Microsoft Outlook software, or a victim's
Outlook application displaying a preview of a specially crafted email. This could result in the
attacker executing remote code on the victim's machine.”

Server 2012/2012 R2 EOL is Coming
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2
Source: Microsoft

Windows 10 and 11 Lifecycle Awareness
Windows 10 Enterprise and Education
Version Release Date End of Support Date
22H2 10/18/2022 5/13/2025
21H2 11/16/2021 6/11/2024
20H2 10/20/2020 5/9/2023
Windows 10 Home and Pro
22H2 10/18/2022 5/14/2024
21H2 11/16/2021 6/13/2023
Windows Server
2019 11/13/2019 1/9/2024
2022 8/18/2021 10/13/2026
Windows 11 Home and Pro
22H2 9/20/2022 10/8/2024
21H2 10/4/2021 10/10/2023
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/faq/windows

Patch Content Announcements
 Announcements Posted on Community Forum Pages
 https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
 Subscribe to receive email for the desired product(s)

MFSA-2023-16: Security Update Firefox 113
 Maximum Severity: Critical (High)
 Affected Products: Security Update Firefox
 Description: This update from Mozilla addresses security vulnerabilities in the Firefox
browser on multiple platforms.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Spoofing, and Information Disclosure
 Fixes 13 Vulnerabilities: See the Mozilla Security Advisory
https://www.mozilla.org/en-US/security/advisories/mfsa2023-16/ for complete details.
 Restart Required: Requires application restart
 Known Issues: None

MFSA-2023-17: Security Update Firefox ESR 102.11
 Maximum Severity: Critical (High)
 Affected Products: Security Update Firefox ESR
 Description: This update from Mozilla addresses security vulnerabilities in the Firefox
ESR browser on multiple platforms.
Spoofing and Information Disclosure
 Fixes 8 Vulnerabilities: See the Mozilla Security Advisory
https://www.mozilla.org/en-US/security/advisories/mfsa2023-17/ for complete details.
 Known Issues: None

MS23-05-W11: Windows 11 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 11 Version 21H2, 22H2, and Edge
Chromium
 Description: This bulletin references KB 5026368 (21H2) and KB 5026372 (22H2).
Elevation of Privilege, and Information Disclosure
 Fixes 20 Vulnerabilities: CVE-2013-3900 (re-issued) and CVE-2023-24932 are
known exploited and publicly disclosed. CVE-2023-29325 is publicly disclosed. See
the Security Update Guide for the complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slide

May Known Issues for Windows 11
 KB 5026368 – Windows 11 version 21H2
 [App Fail] Windows devices with some third-party UI customization apps might not
start up. These third-party apps might cause errors with explorer.exe that might repeat
multiple times in a loop. The known affected third-party UI customization apps are
ExplorerPatcher and StartAllBack. Workaround: Uninstall any third-party UI
customization app before installing this or later updates. Microsoft is investigating and
will provide more info in the future.

May Known Issues for Windows 11 (cont)
 KB 5026372 – Windows 11 version 22H2
 [Provision] Using provisioning packages on Windows 11, version 22H2 (also called
Windows 11 2022 Update) might not work as expected. Windows might only be
partially configured, and the Out Of Box Experience might not finish or might restart
unexpectedly. Workaround: Provision before updating to 22H2. Microsoft is working
on a resolution.
 [SpeechRec] After installing this update, some apps might have intermittent issues
with speech recognition, expressive input, and handwriting when using Chinese or
Japanese languages. Affected apps might sometimes fail to recognize certain words
or might be unable to receive any input from speech recognition or affected input
types. Workaround: The ctfmon process must be restarted every time the system
restarts. See KB for details.

MS23-05-W10: Windows 10 Update
 Affected Products: Microsoft Windows 10 Versions 1607, 1809, 20H2, 21H1, 21H2,
Server 2016, Server 2019, Server 2022, Server 2022 Datacenter: Azure Edition and
Edge Chromium
 Description: This bulletin references 6 KB articles. See KBs for the list of changes.
known exploited and publicly disclosed. CVE-2023-29336 is known exploited. CVE-
2023-29325 is publicly disclosed. See the Security Update Guide for the complete list
of CVEs.
 Known Issues: See next slide

May Known Issues for Windows 10
 KB 5026362 – Windows 10 Enterprise 2019 LTSC, Windows 10 IoT
Enterprise 2019 LTSC, Windows 10 IoT Core 2019 LTSC, Windows
Server 2019
 [Cluster Update] After installing KB 5001342 or later, the Cluster Service might fail
to start because a Cluster Network Driver is not found. Workaround: This issue
occurs because of an update to the PnP class drivers used by this service. After
about 20 minutes, you should be able to restart your device and not encounter this
issue. For more information about the specific errors, cause, and workaround for
this issue, please see KB 5003571.
 [Kiosk Login] After installing updates released January 10, 2023, and later, kiosk
device profiles that have auto log on enabled might not sign in automatically. After
Autopilot completes provisioning, affected devices will stay on the sign-in screen
prompting for credentials. Workaround: Microsoft is working on a resolution.

May Known Issues for Windows 10 (cont)
 KB 5026370 – Windows Server 2022
 [ESXi Fail] After installing this update on guest virtual machines (VMs) running
Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022
might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are
affected by this issue. Affected versions of VMware ESXi are versions vSphere
ESXi 7.0.x and below. Workaround: Please see VMware’s documentation to
mitigate this issue. Microsoft and VMware are investigating this issue and will
provide more information when it is available.

MS23-05-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Windows Server 2012 and IE
 Description: This cumulative security update contains improvements that are part of update
KB 5025287 (released April 11, 2023). Bulletin is based on KB 5026419.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Elevation of
Privilege, and Information Disclosure
 Fixes 16 Vulnerabilities: CVE-2013-3900 (re-issued) and CVE-2023-24932 are known
exploited and publicly disclosed. CVE-2023-29336 is known exploited. CVE-2023-29325 is
publicly disclosed. See the Security Update Guide for the complete list of CVEs.
 Known Issues: None reported

MS23-05-SO8: Security-only Update for Windows Server 2012
 Affected Products: Microsoft Windows Server 2012
 Description: This security update is based on KB 5026411.
known exploited and publicly disclosed. CVE-2023-29336 is known exploited. CVE-
2023-29325 is publicly disclosed. See the Security Update Guide for the complete list
of CVEs.

MS23-05-MR81: Monthly Rollup for Server 2012 R2
 Affected Products: Server 2012 R2 and IE
 Description: This cumulative security update includes improvements that are part of update
KB 5025285 (released April 11, 2023). Bulletin is based on KB 5026415.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Elevation of
Privilege, and Information Disclosure
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-05-SO81: Security-only for Server 2012 R2
 Affected Products: Server 2012 R2
 Description: This security update is based on KB 5026409.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Spoofing
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-05-SPT: Security Updates for SharePoint Server
 Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint
Enterprise Server 2016, and SharePoint Server 2019
 Description: This update corrects an issue where an attacker in a network-based
attack with proper privileges could use this vulnerability to cause the server to leak its
NTLM hash. This bulletin is based on 3 KB articles.
 Impact: Remote Code Execution, Spoofing, Information Disclosure
 Fixes 3 Vulnerabilities: This update addresses CVE-2023-24950, CVE-2023-
24954, and CVE-2023-24955 which are not publicly disclosed or known exploited.

MS23-05-IE: Security Updates for Internet Explorer
 Maximum Severity: Important
 Affected Products: Internet Explorer 11
 Description: The improvements that are included in this update are also included in
the May 2023 Security Monthly Quality Rollup. Installing either this update or the
Security Monthly Quality Rollup installs the same improvements. This bulletin
references KB 5026366.
 Impact: Security Feature Bypass
 Fixes 1 Vulnerability: CVE-2023-29324 is fixed in this update. Vulnerability is not
publicly disclosed or known exploited.
 Restart Required: Requires browser restart

MS23-05-O365: Security Updates Microsoft 365 Apps, Office 2019
and Office LTSC 2021
 Affected Products: Microsoft 365 Apps, Office 2019 and Office LTSC 2021
 Description: This month’s update resolved various bugs and performance issues in
Office applications. Information on the security updates is available at
https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service
 Fixes 4 Vulnerabilities: Addresses CVE-2023-24953, CVE-2023-29333, CVE-
2023-29335, and CVE-2023-29344. No vulnerabilities are publicly disclosed or known
exploited.

MS23-05-OFF: Security Updates for Microsoft Office
 Affected Products: Excel 2013 & 2016, Office 2019 & Office LTSC 2021 for Mac,
Office Online Server, Word 2103 & 2016
 Description: This security update resolves multiple security issues in Microsoft
Office suite. This bulletin references 5 KB articles and release notes for the Mac
updates.
 Impact: Remote Code Execution, Security Feature Bypass
 Fixes 3 Vulnerabilities: Addresses CVE-2023-24953, CVE-2023-29335, and CVE-
2023-29344. No vulnerabilities are publicly disclosed or known exploited.

Windows Release Summary
 Security Updates (with CVEs): Google Chrome (2), Azul Zulu (2), Corretto (3), Java 8 Update (1),
Java Development Kit 11 (1), Java Development Kit 17 (1), Opera (2), Red Hat OpenJDK (3), VMware
Workstation Player (1), VMware Workstation Pro (1)
 Security Updates (w/o CVEs): Apache Tomcat (3), Audacity (3), Azul Zulu (1), CCleaner (2), Google
Chrome (1), ClickShare App Machine-Wide Installer (1), Docker for Windows (1), Dropbox (2), Eclipse
Adoptium (3), Evernote (1), Firefox (2), FileZilla Client (1), Foxit PDF Editor (1), Foxit PDF Reader Enterprise
(1), GoodSync (2), GIMP (1), GIT for windows (1), LibreOffice (1), Malwarebytes (1), Node.JS (Current)
(2)VirtualBox (2), Plex Media Server (2), PeaZip (1), Skype (3), Slack Machine-Wide (1), Thunderbird (1),
TeamViewer (3), UltraVNC (1), Zoom Client (3), Zoom Outlook Plugin (1), Zoom Rooms Client (1), Zoom VDI
(1)
 Non-Security Updates: 8x8 Work Desktop (1), Bitwarden (1), Camtasia (1), Google Drive File Stream
(1), GeoGebra Classic (2), NextCloud Desktop Client (1), R for Windows (1), Rocket.Chat Desktop Client (1),
TortoiseHG (1), TightVNC (1), Cisco WebEx Teams (1), WinMerge (1)

Windows Third Party CVE Information
 Google Chrome 112.0.5615.138
 CHROME-230419, QGC11205615138
 Fixes 5 Vulnerabilities: CVE-2023-2133, CVE-2023-2134, CVE-2023-2135, CVE-
2023-2136, CVE-2023-2137
 CHROME-230502, QGC1130567264
2023-2462, CVE-2023-2463, CVE-2023-2464, CVE-2023-2465, CVE-2023-2466,
CVE-2023-2467, CVE-2023-2468
 Opera 97.0.4719.83
 OPERA-230418, QOP970471983
 Fixes 1 Vulnerability: CVE-2023-2033

Windows Third Party CVE Information (cont)
 Java Development Kit 17 Update 17.0.7
 JDK17-230418, QJDK1707
 Fixes 7 Vulnerabilities: CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939,
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
 Java Development Kit 11 Update 11.0.19
 JDK11-230418, QJDK11019
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
 Java 8 Update 371 – JRE and JDK
 JAVA8-230418, QJDK8U371 and QJRE8U371
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968

 Azul Zulu 17.42.19 (17.0.7) Note: FX version of JDK also now supported
 ZULU11-230424, QZULUJDK174219 and QZULUJRE174219
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
 Azul Zulu 11.64.19 (11.0.19) Note: FX version of JDK also now supported
 ZULU11-230424, QZULUJDK116419 and QZULUJRE116419
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968

 Corretto 17.0.7.7.1
 CRTO17-230419, QCRTOJDK1707
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
 Corretto 11.0.19.7.1
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
 Corretto 8.372.07.1 – JRE and JDK
 CRTO8-230419, QCRTOJRE8372
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968

 RedHat OpenJDK 17.0.7.0 – JRE and JDK
 RHTJDK17-230420, QRHTJDK170707
 RHTJDK17-230420, QRHTJRE170707
 Fixes 2 Vulnerabilities: CVE-2023-21835, CVE-2023-21843
 RedHat OpenJDK 11.0.19.7
 RHTJDK11-230420, QRHTJRE110197
 Fixes 2 Vulnerabilities: CVE-2023-21835, CVE-2023-21843
 RedHat OpenJDK 8.0.372
2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968

 Opera 98.0.4759.6
 OPERA-230420, QOP98047596
 VMware Workstation Player 17.0.2
 VMWP17-230426, QVMWP1702
2023-20872
 VMware Workstation 17.0.2 Pro
 VMWW17-230425, QVMWW1702
2023-20872

Apple Release Summary
 Security Updates (with CVEs): Google Chrome (2), Microsoft Edge (3)
 Security Updates (w/o CVEs): Slack (1), Zoom Client (1)
 Non-Security Updates: 1Password (1), Alfred (1), aText (1), Calendar 366 II (1), Dropbox (2),
Evernote (2), Firefox (2), Google Drive (1), LibreOffice (1), Microsoft Edge (3), Skype (2), Spotify (1),
Thunderbird (1), Visual Studio Code (1), Zoom Client (2)

Apple Third Party CVE Information
 CHROMEMAC-230414
2023-2135, CVE-2023-2136, CVE-2023-2137
 CHROMEMAC-230502
2023-2462, CVE-2023-2464, CVE-2023-2465, CVE-2023-2466, CVE-2023-2467,
CVE-2023-2468
 Microsoft Edge 112.0.1722.48
 MEDGEMAC-230415

Apple Third Party CVE Information (cont)
 MEDGEMAC-230419
 MEDGEMAC-230421
2023-2137

Thank You!

Analyse Patch Tuesday - mai

Recommended

Recommended

More Related Content

Similar to Analyse Patch Tuesday - mai

Similar to Analyse Patch Tuesday - mai (20)

More from Ivanti

More from Ivanti (20)

Recently uploaded

Recently uploaded (20)

Analyse Patch Tuesday - mai