Virtual Administrator’s March 2023 Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 76 vulnerabilities with 9 rated “Critical” in severity.

All patches will be approved in our patch policy.

This month brings 76 updates with 9 classified as critical. Two zero-day vulnerabilities (CVE-2023-23397,CVE-2023-24880).  CVE-2023-23397 is an Outlook vulnerability (NTLM relay attack) affecting all versions of Microsoft Outlook. Microsoft-hosted online services (Microsoft 365) are already protected. CVE-2023-24880 allows attackers to “craft a malicious file that would evade Mark of the Web (MOTW) defenses.” Both are being actively exploited.

Last month’s known issue with Windows Server 2022 on VMware ESXi was corrected. See “FIXED Known Issues” below. New SSUs for Windows Server 2012/2012R2/2016 and Windows 10 1507/1607.

Heads Up!  KB5020276—Netjoin: Domain join hardening changes

“In the Windows updates released on or after March 14, 2023, we made a few changes to the security hardening. These changes include all the changes we made in October 11, 2022.”

Disclosed: CVE-2023-24880

Exploited: CVE-2023-23397,CVE-2023-24880

Security Update Guide

Morphus Labs patch dashboard here:

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:03/14/2023)

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

Known Issues

Windows 11 version 22H2 may cause startup problems with some third-party UI customization apps. A copy/paste issue with SharePoint Server. VMware ESXi and Exchange Server problem from last month have been fixed.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“Windows devices with some third-party UI customization apps might not start up.”

Affects: Windows 11 version 22H2

Symptom: After installing this or later updates, Windows devices with some third-party UI customization apps might not start up. These third-party apps might cause errors with explorer.exe that might repeat multiple times in a loop. The known affected third-party UI customization apps are ExplorerPatcher and StartAllBack. These types of apps often use unsupported methods to achieve their customization and as a result can have unintended results on your Windows device.

Workaround: We recommend uninstalling any third-party UI customization app before installing this or later updates to prevent this issue. If your Windows device is already experiencing this issue, you might need to contact customer support for the developer of the app you are using. If you are using StartAllBack, you might be able to prevent this issue by updating to the latest version (v3.5.6 or later).

Status: We are presently investigating and will provide more information when it is available.

“Text web cannot be copied or pasted”

Affects: SharePoint Server Subscription Edition

Symptom: On a Modern page, the Text web part cannot be copied or pasted from a Microsoft Word or Microsoft OneNote desktop application.

Workaround: To work around this issue, copy or paste from another application, such as Notepad.

FIXED Known Issues

Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947)

Symptom: After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

Resolution: This issue is resolved in the latest update released by Microsoft March 14, 2023 – KB5023705

EWS web application pool stops after the February 2023 Security Update is installed

Affects: Exchange Server 2016/2019

Symptoms: After you install the Exchange Server February 2023 Security Update on Microsoft Exchange Server 2019 or 2016, the Exchange Web Services (EWS) web application pool stops responding under certain circumstances. When this occurs, clients that use the EWS protocol experience connectivity issues.

Resolution: Install the March 2023 security update KB5024296. If you’ve already applied the workaround previously recommended you need to revert those changes per the KB.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are with the KB number only.

Security and Quality Rollup

  • KB5023769 – Windows Server 2008 R2 (ESU)
  • KB5023765 – Windows Server 2012 R2
  • KB5023756 – Windows Server 2012
  • KB5023755 – Windows Server 2008 (ESU)

Security Only Update

  • KB5023759 – Windows Server 2008 R2 (ESU)
  • KB5023764 – Windows Server 2012 R2
  • KB5023752 – Windows Server 2012
  • KB5023754 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5023713 – Original release version 1507 (OS Build 10240)
  • KB5023697 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5023702 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5023696 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • KB5023696 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5023696 – Version 22H2 “November 2022 Update” (OS Build 19045)
  • (Versions 1511,1703,1709,1803,1903,2004 are no longer under support)

Windows 11

  • KB5023698 – 21H2 (OS Build 22000) Original release
  • KB5023706- 22H2 (OS Build 22621)

Windows Server

  • KB5023697 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5023702 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5023705 – Server 2022 (OS Build 20348)

March 2023 updates for Microsoft Office

Notable CVEs

CVE-2023-1017/CVE-2023-1018 | TPM2.0 Module Library Elevation of Privilege Vulnerability (Cumulative Update)

“By leveraging malicious TPM commands from a guest VM to a target running Hyper-V, an attacker can cause an out of bounds write in the root partition.”

CVE-2023-21708 | Remote Procedure Call Runtime Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

“To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.”

CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability (Cumulative Update)

“A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled and the server uses buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. Currently, enabling HTTP/3 is done via a registry key as discussed in this article: Enabling HTTP/3 support on Windows Server 2022”

CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability (Office KB)

“External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

CVE-2023-23404 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

“An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.”

CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability (Cumulative Update)

“Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”

CVE-2023-23415 | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

“An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket.”

CVE-2023-23416 | Windows Cryptographic Services Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

“For successful exploitation, a malicious certificate needs to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system.”

CVE-2023-24880 | Windows SmartScreen Security Feature Bypass Vulnerability (Cumulative Update)

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”