May 2023 Patch Tuesday forecast: Dealing with End-of-Support (EOS)

The April Patch Tuesday releases were unusual because we saw a whopping 62 vulnerabilities addressed in the Microsoft Server 2012 KBs. Granted there was a lot of overlap with the CVEs addressed in Windows 10 and 11, but compared to the typical 30-40 CVEs addressed in the months prior, this number was unusually aggressive.

Is this a coincidence or is there a push to prepare Server 2012 for its upcoming EOS in October? There are several Microsoft operating systems in the same situation, and there are often challenges on what to do as that fateful day approaches.

End-of-Support (EOS)

Many industries are reliant on highly specialized applications, which were often written for a particular operating system. When that operating system, like Microsoft Server 2012, is coming to EOS, you may have limited choices. If there is no upgrade path due to an OS dependency or perhaps lack of funding to upgrade, you are forced to look at mitigating options. It all comes down to control and containment of these systems you know will be more vulnerable as time passes.

Each situation is unique, but options to consider include minimized user privileges, virtualized workloads, reduced exposure to neighboring systems, removal from direct Internet access, application whitelisting, or even containerization. Regardless of the approach taken, it is important to plan in advance, so you are not caught short on time and options as the end nears.

With that in mind, Microsoft Windows 10 20H2 for Education and Enterprise reaches end-of-support (EOS) this month, and Windows 10 21H2 Home and Professional will reach EOS in June, so plan accordingly. Microsoft reiterated in a blog that Windows 10 22H2 is the final feature version of Windows 10 and that all editions will receive security updates through October 14, 2025. Additional support information for all versions of Windows 10 is consolidated here.

Microsoft Defender Antivirus

In other Microsoft news, a fix for KB5007651 “Update for Microsoft Defender Antivirus antimalware platform – (Version 1.0.2302.21002)” is now available. After the original KB was installed, Windows 11 users were seeing the message “Local Security Authority protection is off. Your device may be vulnerable.” The error would persist even after a reboot and confirmation that Local Security Authority was still enabled. Based on the issue resolution update, the reissued KB fixes the issue.

Apple Rapid Security Response

Apple recently announced they will be offering Rapid Security Responses for the latest operating system versions on iPhone, iPad, and macOS. Each update will be designated with (a), (b), etc., following the applicable OS version number. These updates will be released as needed to address hot security issues and all will be rolled up into the next major release for each operating system or application.

Google Chrome

Google has been very busy with software updates this past month. Immediately following April Patch Tuesday, they released an emergency hot fix for Google Chrome 112. This was to address a zero-day known exploit of CVE-2023-2033 associated with the Chrome V8 JavaScript engine. They’ve since followed up with Extended Stable channel update 112.0.5615.179 for Windows and Mac, as well as a Stable Channel Update for Desktop 113 for Windows, Mac and Linux. This later release addressed 15 vulnerabilities, of which 10 were attributed to external researchers.

May 2023 Patch Tuesday forecast

• Microsoft will provide the usual operating system and Office application updates next week. Keep a lookout for a .NET framework update, as well as the usual .NET core development releases. We’ll have to see if the trend for large numbers of CVE addressed continues; I suspect it will since it has been a quiet month from Microsoft with regards to out-of-band releases.
• Adobe Acrobat and Reader received a major quarterly update last month addressing 16 CVEs are part of APSB23-24. We may see a minor update if there are any hot vulnerabilities they need to address.
• I was wrong in my forecast last month, because Apple released a series of minor updates – Ventura 13.3.1, Safari 16.4.1, Monterey 12.6.5, and Big Sur 11.7.6, on the Friday and Monday right before Patch Tuesday. I hope you rolled them into your normal patch cycle last month and be on the lookout for the Rapid Security Response releases they just introduced.
• Google released several beta updates this week, so there could be a formal release for them next week.
• Mozilla released their updates on Patch Tuesday in April again, so expect updates for Firefox, Firefox ESR, and Thunderbird next week.

This could be a very busy Patch Tuesday with a lot of potential third-party updates in addition to the usual Microsoft releases. The supported versions of Windows 10 are slowly dwindling, and Server 2012 EOS is right around the corner – plan now on how you will deal these events.

Read all the details: May 2023 Patch Tuesday.