July 2023 Patch Tuesday forecast: A month of instability and uncertainty
We’re halfway through 2023 already and moving into our seventh Patch Tuesday of the year next week. There’s been a lot of activity with Microsoft this month which may impact updates we’ll see. But first taking a quick look back at June, we had a fairly standard set of releases with 32 CVEs fixed in Windows 11 and 36 fixed in Windows 10. Although I call out the desktops for simplicity, always keep in mind these updates apply to the applicable server versions as well. We revisited some older zero-day vulnerabilities with informational updates, but there were no new ones.
Microsoft continued their phased enablement of security enforcement with new Kerberos and NetLogon default settings. If you haven’t been following this closely, check out How to manage the Kerberos and Netlogon Protocol changes related to CVE-2022-37967 and KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 from Microsoft. There were also critical updates all for the .NET framework releases addressing six vulnerabilities which need attention. The weather is getting hotter now that July is here, will the upcoming releases be as well?
M365 apps failing to launch
There have been many reports in the news throughout June regarding issues caused by the Microsoft June releases as well as issues within Microsoft software and services that have resulted in instability. These issues may portend a hot July Patch Tuesday release.
Starting on Patch Tuesday, the application of Windows 11 22H2 KB5027231 cumulative update broke Google Chrome for users running Malwarebytes, Cisco Secure Endpoint, and WatchGuard Endpoint Security – they were not able to launch Google Chrome. There was no easy way to remove the Microsoft update and these companies were forced to provide temporary workarounds until fixes were provided within their software.
Later in the month, Microsoft ran into some problems of their own. Starting the week of June 19th, there were many reports of Microsoft 365 Applications, Microsoft Outlook, and Microsoft Teams either failing to launch, running slowly, starting and stopping randomly, and even licensing failure. And finally, researchers reported this month that Microsoft Teams can be exploited to distribute malware. The reported vulnerability allows external tenants to bypass restrictions on incoming files which could be malicious. Microsoft has been relatively quiet on all these issues, but we may hear more as Patch Tuesday approaches.
Apple vulnerabilities
Apple was in the news again this month addressing three new zero-day vulnerabilities. CVE-2023-32434 and CVE-2023-32435 exist in iOS and are associated with the Triangulation spyware. CVE-2023-32439 is a WebKit zero-day vulnerability that can let attackers gain arbitrary code execution on unpatched devices. For a complete list of the latest application, iOS, and macOS security updates check out the Apple Security Updates page.
July 2023 Patch Tuesday forecast
- Microsoft will provide their regular operating system and application updates this month. I don’t expect another .NET framework release after the critical one from June. There were Microsoft Exchange Server updates last month so we may get a pass this month. Based on the online issues with Microsoft 365 Applications we should see application updates as well as some Azure updates if there are communications or hosting related issues.
- I was really surprised we didn’t get an Adobe Acrobat and Reader update last month – the last one was in April. Expect one soon.
- Apple provided the zero-day updates on June 21st so we shouldn’t see another set of updates for a while. Don’t forget the beta of Sonoma is now available with an anticipated release of this new OS near year-end.
- The Stable channel for Chrome OS was updated to 114.0.5735.205 last week. The Beta channel for Desktop was also updated to 115.0.5790.56 for Windows, Linux and Mac last week, so I would expect a Stable channel announcement next week.
- Mozilla released Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 on July 4th. Don’t expect another update next week.
- Oracle Critical Patch Updates are scheduled for July 18th. You can get all your Oracle product updates, including Java, the week after Patch Tuesday.
If you haven’t done so already, deploy the Apple and Mozilla updates to lighten you load next week. There was a lot of unanswered activity surrounding Microsoft this month, so keep a close eye on the KBs next week to see if any of your application disruptions or operating system issues were addressed.
The July 2023 Patch Tuesday is now live: Microsoft patches four exploited zero-days, but lags with fixes for a fifth (CVE-2023-36884)