The thunderstorms of April patches have passed, and it has been pretty calm leading up to May 2024 Patch Tuesday. April 2024 Patch Tuesday turned out to be a busy one with 150 new CVEs addressed by Microsoft.
There were 91 CVEs fixed in Windows 10, 69 in Windows 11, and 38 in Microsoft SQL Server. There were also security updates for Office and .NET, but only three CVEs were rated Critical and one CVE-2024-26234, a zero-day release. There was also an Exchange Server hotfix later in the month to address some issues from March. Before getting into the forecast for what appears to be a smaller set of releases for May 2024 Patch Tuesday, let’s take a look at the threats we faced in the last year.
Data Breach Investigations Report (DBIR) 2024
The Verizon Business Data Breach Investigations Report (DBIR) 2024 was released last week. The analysis covers security incidents from November 1st, 2022, through October 31st, 2023, so data from the MOVEit vulnerabilities and exploitations contributed to this year’s findings.
Looking at the results from a patch perspective, it’s very interesting to hear that “our ways-in analysis witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach compared to previous years. It almost tripled (180% increase) from last year, which will be no surprise to anyone following the effect of MOVEit and similar zero-day vulnerabilities.”
Also reported when using the CISA Known Exploited Vulnerabilities catalog, “we found that it takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available” while “enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target, with maybe a 15-day target for critical vulnerability patching. Sadly, this does not keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities.”
These results may be surprising to some depending on the speed and effectiveness of your patch management process, but they do provide some baselines for comparison. There’s a wealth of information in the report, as always.
Windows Recovery Environment (WinRE)
The patch forums have been full of discussions on the Windows Recovery Environment (WinRE) issue, which a Bitlocker vulnerability fix introduced in the January 2024 Patch Tuesday update. When running the update, the system will display an error code 0x80070643 with a failed install, but the system needs to have the recovery partition size increased before starting the update.
Microsoft provided instructions to manually enlarge the partition when the problem was first introduced and later announced a script to extend the available recovery partition; however, they will not provide any automation or additional tools to address the issue. This problem can occur on Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; and Windows Server 2022. Unfortunately, the only resolution will be to use manual update options if you run into the issue.
Microsoft Office and Exchange
Microsoft Office LTSC 2024 is now available for commercial preview. Last month’s blog described this new release in detail, but as a quick summary, Microsoft is re-introducing a standalone or on-premises version of Office which is not continuously connected to the cloud. This will come as relief to customers who have been struggling to manage Office 365 in situations with limited or no internet access.
There was an April 2024 Hotfix Update for Exchange Server 2016 CU23 and Exchange Server CU13 and CU14. This hotfix introduces Hybrid Modern Authentication (HMA) for OWA/ECP per the announcement, but also addresses several issues reported with the recent March 2024 SU release. If you are having issues with download domains, documents not opening or search problems following the March update or you are interested in HMA, check out this hotfix.
May 2024 Patch Tuesday forecast
- The May set of updates should be significantly smaller following the massive April release. Expect the usual Windows and Server updates, along with Office and Sharepoint Server.
- All the main Adobe products except Acrobat and Reader received a security update last month. On May 2, Adobe added six additional CVEs to the list from the February release. I don’t know if this implies they were missed or if they are going to reissue the software. Stay tuned.
- Apple is due for updates to all supported operating systems since the last major release was on March 25th. No fixed schedule on the Apple releases, so pay close attention to their security release page.
- The Google Chrome Stable Channel Update for Desktop was updated today to 124.0.6367.201/.202 for Mac and Windows and 124.0.6367.201 for Linux. This may be an early release to get ahead of Patch Tuesday.
- Firefox 125, Firefox ESR 115.10 and Thunderbird 115.10 were all released back in mid-April so are due out next week.
We may have a lighter Patch Tuesday for May 2024, so take some time and read through the Data Breach Investigations Report. Consider the reported threats and incidents and assess your own situation; it may provide insight and justification you and your management needs to improve your patch management program.