The October forecast for large numbers of CVEs addressed in Windows 10 and 11 and the recent record on the number fixed in Windows Server 2012 was spot on! Microsoft addressed 75 CVEs in Windows 11, 80 in Windows 10, and 61 in Server 2012 R2. While Server 2012 and Server 2012 R2 may be in good shape for the short term, please don’t count on it for long, and don’t forget they are moving into Extended Security Updates this month. This was a fine way to end 20 years of Patch Tuesdays!
A new decade of Patch Tuesday
Next week, we enter the third decade of Patch Tuesday releases from Microsoft. Patch Tuesday has had a significant impact on the software industry. Software updates across the board had been haphazard and happenstance until that second Tuesday in October 2003. Microsoft decided to provide some predictability to their software releases with the announcement of regularly scheduled updates, and it soon spawned the start of a patch management process.
IT administrators could finally plan for and notify their organization the software updates were coming, and then deploy them orderly. Patch uptake improved, and it wasn’t long before other vendors took the same approach, often releasing in conjunction with Microsoft, or at least on their own pre-announced, regular schedule. In addition to Microsoft improving its patch management tools, an entire industry provided a wide assortment of tools for IT to use. I don’t have to forecast another decade of continued growth and improvements.
Microsoft’s security expertise
One such improvement is Microsoft Security Copilot which has been introduced for limited, early access. Per the announcement this is “an AI assistant for security teams that builds on the latest in large language models and harnesses Microsoft’s security expertise and global threat intelligence to help security teams outpace their adversaries.” It can take common language queries, consult with Microsoft threat intelligence, deep security knowledge libraries, and other Microsoft sources to provide analysis and recommendations for action. It can provide output in the form of text, code, diagrams, etc. which can be specific to Microsoft products. It can greatly expand the security team’s security knowledge and capabilities.
This product is an important part of the Microsoft’s Secure Future Initiative to use AI in a number ways including cyber defense and advancing software engineering, while ensuring that AI is being used responsibly worldwide.
Windows 11 23H2
Microsoft officially released Windows 11 23H2 on October 31st. It is available via an iso image for a new install and as an enablement package from Windows 11 22H2 which we haven’t seen for any recent feature updates. It includes all the ‘Moment 4’ feature updates released last month for Windows 11 22H2. As I mentioned last month, a big security feature in this release is the Windows Passkey Manager which uses biometric data or security keys to log into websites without a password thus helping combat phishing attacks.
Atlassian
There are a few important CVEs to be aware of this month. Atlassian has been in the news again with exploits targeted at their Confluence Data Center and Server technology. In early October, they reported CVE-2023-22515 under attack and now CVE-2023-22518 is in the same situation. These are both rated with CVSS 10.0, so immediate updates are recommended. And regarding CVSS, FIRST announced the office release of CVSS Version 4.0 on October 31st as planned. Expect to see reference to the new CVSS 4.0 scores from Microsoft and others soon.
November 2023 Patch Tuesday forecast
- Expect a smaller number of CVEs addressed next week in the Microsoft operating systems after the big push last month. There may be a bigger focus on the Office applications and perhaps a .NET framework update.
- Adobe has been consistent with major updates at the end of each quarter, so I anticipate the next one in December. If an important zero-day surfaces they may release something next week so always watch for a pre-announcement in the next day or so.
- Apple released security updates for Sonoma, Ventura, and iOS this week so ensure you factor them into your patch deployment for next week if you haven’t already. Be on the lookout for a Monterey update just in case some of the CVEs apply to that OS.
- The ChromeOS LTS channel was updated to 114.0.5735.339 this week addressing 5 High rated CVEs. Take those into account next week if you haven’t deployed them. There were beta updates this week for Chrome Desktop and standard ChromeOS, so expect those to release next week.
- Mozilla released their last round of updates for Firefox, Firefox ESR and Thunderbird on October 24, so we may see some minor updates next week.
The importance of Patch Tuesday has grown over the years. Threats have increased dramatically since those early days, to the point that the Tuesday-released patches need to be distributed quickly to protect against zero-day and the large volume of reported vulnerabilities. Continue to fight the good fight next week as year 21 of Patch Tuesdays begins.