March 2024 Patch Tuesday forecast: A popular framework updated
UPDATE: March 12, 3:55 PM ET – March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V
We’re almost at our third Patch Tuesday and wrapping up the first quarter 2024. Time flies by! Microsoft is starting to push users to update their operating systems as their active version is approaching end-of-support.
The February 2024 Patch Tuesday was pretty typical, with the standard Microsoft Windows, Office, and Exchange Server updates. Two zero-day vulnerabilities were identified, and 41 and 44 total vulnerabilities were addressed in Windows 11 and 10, respectively. But before we get to the March 2024 Patch Tuesday forecast, I want to provide information on the updated NIST framework.
NIST CSF 2.0
The long-awaited NIST Cybersecurity Framework 2.0 was recently released on February 26th. The original framework released in 2014 was focused on the protection of critical infrastructure systems and, in fact, was titled Framework for Improving Critical Infrastructure Cybersecurity. The latest version is a document for everyone and “provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks” per the NIST website.
In addition to the breadth of organizational coverage, the document provides a wealth of new best practices and also introduces the requirement for ‘governance.’ Topics under this category include the need for compliance based on industry regulations, risk management practices, and the need for security to be understood and managed at all levels in the company, from the boardroom down to the administrators and users. You should look at this document and see if there are some aspects you may not have considered in your existing security program or framework.
2023 highlights
I haven’t provided a look back at some of the highlights and statistics from 2023, so here are a few to trigger your memory.
Microsoft patched 23 zero-day vulnerabilities in 2023, which should be easy to remember. A little over 50% of these provided elevation of privilege, and the next 25% allowed security feature bypass. The remaining ones were divided between denial of service, information disclosure, and remote code execution. Surprisingly, remote code execution accounted for the fewest zero-day vulnerabilities. Apple had their fair share of zero-day vulnerabilities reported with 20 reported throughout the year.
Apple released their first Rapid Response Security Update in May, which are small, quick-to-install security patches that can be automatically downloaded. And finally, Google addressed 8 zero-day Chrome vulnerabilities in 2023. One nice move was the introduction of a once-a-week update when possible so that we could plan for regular updates.
Windows 11 Moment 5
The Microsoft Windows 11 Moment 5 was released to preview last week. It will show up in 23H2 and 22H2 if you have ‘get the latest updates as soon as their available’ option checked. One point of interest is Microsoft has combined Windows Autopatch with Windows Update for Business for enterprise subscribers.
This Moment 5 update is scheduled to roll out to all users with April Patch Tuesday release. Microsoft announced they have started to ‘force update’ older versions of Windows 11 to 23H2. Those systems that are approaching EOL on older versions will be automatically updated. In a related situation, Microsoft is instituting a nag screen on non-managed enterprise devices running Windows 10 Pro and Pro Workstation to update to Windows 11. The nag screen will offer the user an update to Windows 11. This will be introduced in the April Patch Tuesday release.
March 2024 Patch Tuesday forecast
- This should be a typical monthly release from Microsoft consisting of all the supported OS, Office, SharePoint and Exchange server updates.
- Adobe Acrobat and Reader received a security update last Patch Tuesday so we may see a minor update, if any.
- Apple released security updates for all their PC operating systems and Safari today, so make sure to include them in your current patch rollout.
- Google released a Chrome Beta for Desktop 123.0.6312.28 for Windows, Mac, and Linux today, so expect the formal update to come out on Patch Tuesday. They’ve be releasing their updates later in the afternoon than Microsoft but be on the lookout for it.
- Mozilla released Thunderbird 115.8.1 this week, so we may see updates for Firefox and Firefox ESR next week.
I expect a standard release of updates from Microsoft next week, as well as browser updates from the usual vendors. Plan ahead to manage the OS updates Microsoft is starting to push; it looks like most of them will impact us with next month’s Patch Tuesday release. And finally, take a look at the NIST Cybersecurity Framework 2.0. It contains a wealth of information and resources to help improve your security program.