Patch testing isn’t easy

Topic

New Reply

PATCH WATCH By Susan Bradley No matter who the vendor is, bugs occur. By the time you read this, Apple will have already re-released its rapid securit
[See the full post at: Patch testing isn’t easy]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

fisher75, Lars220, DLivesInTexas, jburk07, lmacri, Alex5723, abbodi86

Reply | Quote

Replies

Once update and upgrade testing was commonly done by skilled technicians.

Once common users were valued, nowadays just ignored 😥

* _ ... _ *

Reply | Quote

Susan Bradley wrote:

Office zero day

As noted in CVE-2023-36884, there is no patch for this seen-in-the-wild security issue with vulnerable Word documents

Microsoft 365 Semi-Annual Channel version 2302 (and all later versions) are protected from this vulnerability.

In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.

Covers all current versions of Microsoft 365 in all channels (except “Extended” still using versions 2202/2208).

1 user thanked author for this post.

lmacri

Reply | Quote

That’s just the office component part of it and does cover all threat vectors (ie windows HTML)

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

lmacri

Reply | Quote

Right after I installed the July updates to my 10 year-old HP desktop my Bluetooth Logitech trackball no longer worked. In looking at Device Manager, Bluetooth was no longer there. When I selected “Show hidden devices” it then showed. It is a Ralink Bluetooth PCIe Adapter (RT3298). The message that displays is:

“Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.”

I assume this is the “Spoofing Drivers” issue mentioned in this weeks newsletter where Microsoft is disabling what it thinks are “untrusted” drivers. There is no way I can find a proper driver for this old device. The last update was made by the upgrade to Windows 10 that I did in June 2016. So I have been using that driver ever since then without any issues. The computer has been running fine ever since I got it. Fortunately the trackball has a WiFi option which I am now using. But I decided it was time to put the old desktop out to pasture and a new one will be arriving shortly. Hopefully that will not contain any “untrusted” drivers.

The newsletter is great.

Thanks,

JohnD

Moderator Note: Edit to remove HTML. When you cut/paste, please use the “Text” tab or “Paste as Text”

Reply | Quote

You can use unsigned drivers… it takes a few extra steps, but it can be done. I’ve done this in the past when I had to edit .inf files to get Windows to work with my devices (editing them breaks the signature). Of course, this is not something you would want to do all the time, but in circumstances like yours, when you have no other choice but to stop using something, and where you know the driver is good, it can help.

If you start Windows in the recovery mode (shut it down holding shift, then reboot), one of the options is to disable signature verification. You can select that, let it boot, install the driver in that session, then reboot again normally to turn verification back on. The driver that was installed should remain (but if it gets removed, you will have to do this again to reinstall it).

You can also sign the driver yourself, I would imagine. In Linux, this is a pretty common thing.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

DLivesInTexas

Reply | Quote

Hi Susan:

Just need some clarification about the Office zero-day CVE-2023-36884.

In the section titled “Patching recommendations for consumer and home users” of your full newsletter article you stated that “This month brings a surprise in the Office patching department: there is no fix out for a key Office-based zero day. As noted in CVE-2023-36884, these are targeted attacks using specially crafted Office documents.”

However, the FAQ section for CVE-2023-36884 states …

If I’m running Office365 Semi-Annual Channel Extended, am I affected by this vulnerability?

Office365 Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. Microsoft 365 Apps Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. However, Microsoft 365 Semi-Annual Channel version 2302 (and all later versions) are protected from this vulnerability. Please see Update history for Microsoft 365 Apps (listed by date) for information about those channels and their versions.

… and the 11-Jul-2023 Microsoft Threat Intelligence blog entry Storm-0978 Attacks Reveal Financial and Espionage Motives also states in part that “In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.”

Does that mean that home consumers using MS Office Click-to-Run products like Microsoft 365 C2R and MS Office 2016/2019/2021 C2R who are on Version 2302 and higher like the latest Current Channel release Version 2306 / Build 16529.20182 (rel. 11-Jul-2023) are patched for this vulnerability?

I checked the Release Notes for Microsoft Office Security Updates and I don’t see CVE-2023-36884 listed as one of the patched vulnerabilities, which makes this even more confusing.

EDIT:

Thanks to b for their post # 2574036.  That provides some clarity.
—————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3208 * Firefox v115.0.2 * Microsoft Defender v4.18.23050.5-1.1.23060.1005 * Malwarebytes Premium v4.5.33.272-1.0.2069 * Macrium Reflect Free v8.0.7279 * Microsoft Office 2019 Home and Business 2019 Version 2306 / Build 16529.20182 C2R

Reply | Quote

I see what is going on.

https://twitter.com/serghei/status/1679246339698315265

The day after Microsoft adds a note that it doesn’t impact all office users, just some versions using the Office vector after Will Dorman points out that he can’t figure out how the vulnerability works.

Remind me to recheck each CVE before I put the newsletter to bed.  That said I still think putting in the mitigation is wise.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

lmacri

Reply | Quote

I was offered KB5007651 for my w11 22h1 laptop on 7/5/23, but your instructions are not clear to me: should I install it? I am not sure if I got the warning “local protection is off”. (I got that yesterday on my w10 22h2 laptop!)

22h2 has also been offered, I will install it this week.

Reply | Quote

Once I give the all clear, yes.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

You said ” once I give the all clear, yes”.

I see my message was not clear: what do I do with 5007651?

Regarding w11 22h2 I will install it on my w11 21h2 this week.

I also have a w10 22h2. I will wait for your all clear before upgrading to w11. Right?

Reply | Quote

Susan has not given the all clear for the July updates yet. If you update Win11 21H2 to 22H2 at this time, it will apply the July (latest) updates with the upgrade. You should wait till she gives the all clear for July updates to make the upgrade.

The same goes for Win10. Any upgrade at this point will apply the latest (July) updates. Also, Win10 22H2 does not reach EOL until Oct, 2025, so there is no rush unless you just WANT Win11.

Wait until the DEFCON number changes (3 or 4) to do your July updates.

Reply | Quote

Ken wrote:

I also have a w10 22h2. I will wait for your all clear before upgrading to w11. Right?

Why ?

Widows 10 22H2 is supported with security updates until 10.2025.

Reply | Quote

From the Office zero day:

If you currently have Microsoft Defender for Office, it is currently searching for and blocking attachments that attempt to exploit this vulnerability. Reach out to your email protection vendors to see whether they are also looking for these attachment threats. Alternatively, you can use attack surface reduction (ASR) rules and enable the Block all Office applications from creating child processes rule.

I’ve been reading through the ASR stuff and I can’t tell if my Outlook Add-in will be affected.

Do you know if they are?

History:  I have a document management product and one piece is an add-in for Outlook, Word and Excel.  The add-in calls an executable that DDE’s the information to the doc mgmt program running in the background.

Cheers!!
Willie McClure
“We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek

Reply | Quote

You have to test, or reach out to your add in vendor.  I haven’t experienced issues here but my add ins may be different than yours.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hi Susan,

It’s my add-in that I created for our document mgmt package.  Was wondering if I would get a phone call saying the add-in stopped working.  Just planning my time.

FYI the add-in currently works on Win 10 and Win 11 up through June updates.  For Office have 32 bit and 64 bit – multiple flavors) but don’t know what each client is using (monthly or semi-annual).

Cheers!!
Willie McClure
“We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek

Reply | Quote

This is where the only way you will know is to have good feedback people work with you and test it.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

EspressoWillie wrote:

From the Office zero day: … Alternatively, you can use attack surface reduction (ASR) rules and enable the Block all Office applications from creating child processes rule.

Hi EspressoWillie:

Further to that excerpt from the Mitigations section of CVE-2023-36884, what is your Windows OS and the product name and current version of your MS Office software, and do you use Microsoft Defender as your antivirus?

I have a Win 10 Pro v22H2 OS, and last year I added the “Block Office applications from creating child processes” setting in my Local Group Policy Editor (gpedit.msc) at Computer Configuration | Administrative Templates | Windows Components | Microsoft Defender Antivirus | Microsoft Defender Exploit Guard | Attack Surface Reduction | Configure Attack Surface Reduction Rules (value name = D4F940AB-401B-4EFC-AADC-AD5F3C50688A; value =1 ) to ensure that my Office 2019 apps like Outlook, Word, and Excel can’t be used to launch ransomware attacks.

Susan Bradley posted instructions for adding this rule to Win 10 Pro in her “On Security” column in Issue 18.39 of the AskWoody Plus Newsletter (published 11-Oct-2021) that available to AskWoody Plus members in the newsletter archive at https://www.askwoody.com/newsletter/the-first-google-search-result-often-leads-to-a-virus/#on-security. There are alternate instructions in that column for Win 10 Home users who do not have a local Group Policy Editor on how to use Andy Ful’s ConfigureDefender tool to create the necessary setting in their registry. I don’t have a Win 11 OS but I assume the same instructions will also work with Win 11.

Susan also posted about this ASR “Block Office applications from creating child processes” setting in her 25-Nov-2020 CSO article How to Use Windows Defender Attack Surface Reduction Rules.
————
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3208 * Firefox v115.0.2 * Microsoft Defender v4.18.23050.5-1.1.23060.1005 * Malwarebytes Premium v4.5.33.272-1.0.2069 * Macrium Reflect Free v8.0.7279 * Microsoft Office 2019 Home and Business 2019 Version 2306 / Build 16529.20182 C2R

Reply | Quote

Businesses should, at a minimum, review and implement the Microsoft Security Baselines. The baselines are published for all of the currently supported Server and Windows versions, Edge, and Office 365 / Microsoft 365.  They can be implemented through Group Policy, or applied to non-domain devices using their included PowerShell scripts.

Are they simple and straightforward?  Are you kidding?  This is Microsoft we’re talking about.  But they are excellent starting points to taming some of the Microsoft products, and their carry-forward support of long forgotten yet seemingly never-ending exploitable “features”.

Once you’ve mastered the Microsoft baselines, the next step up for most businesses would be the CIS Benchmarks.  The Benchmarks cover not only Microsoft, but dozens of other vendors and their products.  The Benchmarks are also great as they offer a template for each change recommendation, the rationale behind it, and common impacts the change may have.

Reply | Quote

lmacri wrote:

I don’t have a Win 11 OS but I assume the same instructions will also work with Win 11.

Susan: do same instructions apply to Win 11 Pro?

Does this answer my question about 5007651?? Nobody has given an answer which I understand. Install in W11 or not?

Reply | Quote

Well take a look at this. It appears that KB5028166 has done a number of nasty things.

https://www.neowin.net/news/kb5028166-is-causing-system-issues-break-secure-channel-forces-synology-to-release-a-patch/

JohnD

Reply | Quote