UPDATE: June 13, 11:35 AM PT – June 2023 Patch Tuesday was released.
The odd month-to-month pattern of CVEs addressed by Microsoft continued with the May Patch Tuesday. After seeing high numbers for April, we saw 20 and 23 CVEs fixed for Windows 11 and 10, respectively, in May. And after 62 CVEs were fixed for Server 2012 in April, there were only 16 in May. What will we see this month? Time will tell, but before we talk about the forecast for Microsoft, let’s take a quick look at some Apple activity.
Spotlight on Apple
Apple was in the spotlight this past month with both positive and not so positive headlines. On the positive side, Apple hosted its annual Worldwide Developers Conference this week with announcements around the new Vision Pro ‘spatial computer’ powered by the new visionOS, iOS 17 updates, the upcoming Sonoma OS release, new M2 hardware, and much more.
On the negative side, in mid-May Apple released zero-day updates to address three critical vulnerabilities. These three vulnerabilities were found in the WebKit browser engine and are CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Fixes for these vulnerabilities were provided in Big Sur 11.7.7, Monterey 12.6.6, Ventura 13.4, iOS 16.5, and iPadOS 16.5. Two of these vulnerabilities were addressed as part of the Rapid Security Responses program Apple introduced last month. They are known to be exploited, so ensure you include these updates in your monthly process if you have Apple equipment.
Apple is not alone in the zero-day release category – Google also released update 114.0.5735.110 for Windows and 114.0.5735.106 for macOS and Linux to address CVE-2023-3079. This CVE, ‘Type Confusion in V8’, is known to exist in the wild per Google.
The Verizon Data Breach Investigations Report (DBIR 2023) was released June 6, and full-disclosure Ivanti was a contributing partner to the report. As expected, most attacks are from an external source (83%) and 74% involve a human element due to “error, privilege misuse, use of stolen credentials or social engineering.”
Nearly 24% of the attacks involved ransomware, which is about the same as last year, but most importantly 95% of the attacks were financially driven. Log4j was reported as the most exploited vulnerability. This report is a great resource providing year-over-year comparisons of data breach activity and an excellent summary of current trends.
Windows 10 21H2 Home and Professional
Windows 10 21H2 Home and Professional will reach EOS this month, so plan accordingly. I discussed some mitigation options in last month’s blog if needed to stay on this version beyond the EOS date. Also, it’s now only six months until Server 2012/Server 2012 R2 reach general EOS. Microsoft will be offering their Extended Security Updates (ESU) for another three years, but if the ESU is needed, you’ll want to plan ahead to make that transition smoothly when the time comes.
June 2023 Patch Tuesday forecast
- After a major lull in CVEs addressed last month, expect Microsoft to be back on track with their annual averages for both this operating systems and Office application updates next week. The preview update included some printer fixes, so we may be finally back to some stability with printer management and functionality.
- Adobe Acrobat and Reader received their last update in April. There are no pre-announcements at this time, but I would watch for a minor update next week because we are due.
- Apple provided a major set of updates on May 18th. Please deploy them as soon as possible due to the known zero-day vulnerabilities. I don’t anticipate any new updates next week due to the developer conference and recent releases.
- Google released several dev and beta updates this week which could result in official releases next week.
- Mozilla released Firefox 114 and Firefox ESR 192.12 this week, so we may only see a Thunderbird update next week.
There were several third-party, emergency zero-day releases ahead of this Patch Tuesday, so we may only see the usual Microsoft fare next week. This could mean a standard deployment next week – unless you forgot about Apple!