*The details of the vulnerabilities in the blog have now been updated.
Welcome to the Patch Tuesday updates for March 2024, which lists fixes for 60 vulnerabilities. While no zero-days have been listed by Microsoft this month, there are two critical vulnerabilities.
After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates periodically, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
March 2024 Patch Tuesday
Security updates lineup
Here is a breakdown of the 60 vulnerabilities fixed this month:
- CVE IDs: 60 (this count doesn’t include the republished CVE IDs)
- Republished CVE IDs: Four (more details on this below)
Here is a breakdown of the 60 vulnerabilities fixed this month, based on severity:
- Critical: 2
- Important: 58
Security updates were released for the following products, features, and roles
- Windows Defender
- Open Management Infrastructure
- Microsoft Authenticator
- .NET
- Microsoft Azure Kubernetes Service
- Role: Windows Hyper-V
- Skype for Consumer
- Software for Open Networking in the Cloud (SONiC)
- Microsoft Dynamics
- Azure SDK
- Microsoft Office SharePoint
- Windows Kerberos
- Windows USB Hub Driver
- Windows USB Serial Driver
- Windows Hypervisor-Protected Code Integrity
- Windows Update Stack
- Windows Print Spooler Components
- Microsoft Windows SCSI Class System File
- Windows OLE
- Windows Installer
- Microsoft Graphics Component
- Windows AllJoyn API
- Windows Telephony Server
- Windows ODBC Driver
- Microsoft WDAC OLE DB provider for SQL
- Windows USB Print Driver
- Windows Kernel
- Windows NTFS
- Microsoft Teams for Android
- Microsoft WDAC ODBC Driver
- Windows Cloud Files Mini Filter Driver
- SQL Server
- Visual Studio Code
- Microsoft Edge for Android
- Windows Error Reporting
- Windows Composite Image File System
- Windows Compressed Folder
- Microsoft QUIC
- Windows Standards-Based Storage Management Service
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Intune
- Azure Data Studio
- Outlook for Android
Learn more in the MSRC’s release notes.
Details about the critical vulnerabilities (as rated by Microsoft)
Vulnerable component: Windows Hyper-V
Impact: Remote Code Execution
While this vulnerability has been scored as 8.1 (base score), Microsoft has marked it as Critical vulnerability and has stated, “This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server.”
As of now, there have been no updates of this vulnerability being publicly disclosed or actively exploited.
Vulnerable component: Windows Hyper-V
Impact: Denial of Service
Yet another critical vulnerability in Windows Hyper-V, this one too has been rated as critical by Microsoft, even though the CVSS 3.1 base score is 5.5. While much hasn’t been stated about the vulnerability yet, Microsoft has stated in its exploitability assessment that it is less likely to be exploited.
Details about the critical vulnerabilities (based on CVSS 3.1)
Vulnerable component: Microsoft Azure Kubernetes Service Confidential Container
Impact: Elevation of Privilege
While this vulnerability is not actively exploited yet, Microsoft states that, “An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).”
As a means of protecting themselves from this vulnerability, Microsoft has stated that users must be running the latest version of az confcom (a part of Azure CLI) and Kata Image
Vulnerable component: Open Management Infrastructure (OMI)
Impact: Remote Code Execution
This vulnerability in the OMI instance can be exploited by unauthenticated remote actors by sending specially crafted data requests to the vulnerable service. While there are no reports of active exploitation of this vulnerability, Microsoft has recommended users upgrade to OMI version 1.8.1-0.
Republished CVE IDs
Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:
Third-party updates released after last month’s Patch Tuesday
Third-party vendors such as Google, Cisco, Fortinet, SAP, Apple, AnyCubic, and VMware have also released updates this March.
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
- Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates, since they are bulky updates and consume a lot of bandwidth.
- Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
- For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central, Patch Manager Plus or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!