September has been a packed month of continuous updates. Apple and Microsoft released new operating systems, and several vulnerabilities exploited in web services resulted in a domino effect of zero-day releases for many vendors. If you haven’t rolled them out yet, they can be considered part of the forecast for next week.
Zero-day vulnerabilities
This past month included multiple zero-day announcements. Apple led the pack with five zero-day vulnerabilities across most of its product line; there were many releases throughout the month for CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. They also released Sonoma, macOS 14, on September 26th, resulting in EOL for Big Sur soon.
Google was not far behind on zero-day announcements with four, wait three, zero-day releases. I say this because CVE-2023- 4863 and CVE-2023-5127 were found to be the same vulnerability, and CVE-2023-5127 has since been deprecated. CVE-2023-4863 is described in the National Vulnerability Database as a “Heap buffer overflow in libwebp in Google Chrome before 116.0.5845.187, and libwebp 1.3.2 which allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.” It has a Chromium Critical rating with a CVSS 3.1 score of 8.6 (high). CVE-2023-5217 is also a heap buffer overflow weakness in the VP8 encoding component, which can cause a crash and remote code execution.
These vulnerabilities also resulted in Microsoft updates for Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions. They also impacted most major browsers, including Safari, Firefox, and Opera.
Microsoft
Microsoft has been very active this month, making some significant announcements. The Windows 11 22H2 ‘Moment 4’ update is available to those users who chose the get latest updates option in their Windows Update settings. A significant security feature in this release is the Windows Passkey Manager, which uses biometric data or security keys to log into websites without a password, thus helping combat phishing attacks.
The November Patch Tuesday cumulative update will include the Moment 4 features and updates. Windows 11 23H2, the next major OS update, is being rolled out to the Release Preview Channel for Insiders. The public release will take place sometime soon, in Q4. The new version is built on the Windows 11 22H2 code base so that Microsoft will release an enablement package for a streamlined update.
We haven’t seen this enablement process in action for quite a while, and we should encourage users to jump when it is available. And last, Microsoft announced the exchange web services (EWS) in Exchange Online will officially start blocking EWS requests from non-Microsoft apps on October 1, 2026. They recommended shifting to the Graph API in 2018 and are taking the next step towards EWS retirement. The comments from the community in this article are pretty clear that the Graph API does not support the features available in EWS and is a sub-par replacement.
This patch Tuesday will include the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The latter goes into Extended Security Support (ESU), starting with a November release. Microsoft also announced that the keys to enable these updates will be managed as part of Azure Arc. They should be released next week.
October 2023 Patch Tuesday forecast
- There will probably be many CVE updates next week as Microsoft rolls all the September activity into the OS and Edge cumulative releases. There may also be a big push to close out the Server 2012 support on a positive note, leaving it as secure as possible. We’ve not heard about any hot Office vulnerabilities for a while, but expect the usual updates. With the .NET framework released last month, I don’t expect another next week.
- Acrobat and Reader received another update last month, but you never know if Adobe has another update around the corner. I don’t expect one, but watch for a pre-announcement and plan accordingly.
- Apple was very active in September, with over 20 releases. With all the zero-day vulnerabilities, ensure you are up to the latest versions of iOS and macOS. Be on the lookout for a Sonoma update soon; not only do new OS releases come with their share of bugs, but the reported zero-days may force an update if they have not been accounted for in the initial release.
- Chrome has kept us on the patch treadmill, so expect that to continue next week with another set of updates for Linux, macOS, and Windows.
- Mozilla released its last round of updates for Firefox, ESR, and Thunderbird on September 28, so expect another round of updates next week.
Take a close look at all the updates that will be released next week before you queue up your updates for deployment. You’ll want to verify that all the zero-day updates from the past month are covered in either a new cumulative update or, if the vendor doesn’t have a new update, that you’ve deployed the critical patch earlier in the month.
The CVSS Version 4.0 has an assigned target publication release of October 31st from FIRST. This will happen before next Patch Tuesday, so look for new CVSS scores on your favorite patches! Also, the NIST Cybersecurity Framework 2.0 public draft is available for review and comments until November 4th.
