Transcript
We did talk a little bit about Adobe Acrobat and Reader, Chris touched on it. They did fix four vulnerabilities. Two of them were rated critical, two were rated moderate. Again, commonly used application, you want to make sure that you do get this distributed out into your environment. They did release it across all the versions they support, including DC Continuous, the Classic 2020, and the Classic 2024. Definitely a big update that you generally want to push out. As a general reader update. Chris also mentioned the Mozilla releases yesterday, Firefox 146, the latest version came out, addressed 13 vulnerabilities in there. They rated this update high. There were five high-rated CVEs and eight that were rated moderate in there. I can always include the link for you guys to read if you want to dig into some of these CVEs and see what's being fixed. But there were 13 this month addressed there in Firefox 146, which is the pointy tip of what they're releasing as far as Firefox goes. Under the extended service updates, we see that there was a 140.6 release as well. 10 vulnerabilities. This is basically a subset of what was in the 146 release. These are all covered here. There was also a ESR version 115.31 release. I didn't have ESR in the title in the last one, I apologize for that. But these are the extended service ones that Mozilla does support. Only four vulnerabilities fixed that needed to be fixed here. Three of those were rated high, one moderate. Again, if you're running some of these older ones, make sure you update them and include them in your list for this month. Talking about the Microsoft release, I left them in order. Usually, this is a critical release. As Chris said, it's very rare for us to see a major OS release that doesn't have a critical CVE addressed. But this month, they were all important. There were 37 of them addressed in Windows 11. Chris talked about the known exploited vulnerability 62221, which I did highlight in red down there, and also 54100, which was the publicly disclosed vulnerability. Include the KBs. There were also hot patches this month. I didn't include the hot patch KB in here, but Microsoft did release a hot patch for these updates this month as well. There was a reported vulnerability. This was an interesting one, and I've had some reports that quite a few people have seen this one. They found that the password icon that you use to log in off the lock screen has disappeared. If you scroll over and you know it's where it used to be, it actually does pop up and allow you if you click on that spot to log in properly. It's just really weird that the visual side of this has disappeared. Interestingly enough, if you dig into this KB, they do provide some directions if this is a big problem for you on how to roll this thing back, but it's pretty complicated. There are a lot of steps you have to go through. Again, take a look into the KB. I do have a hot link up there in the top of the slides if you want to look at this. Microsoft did say they, of course, are working on a resolution for this. It's also interesting as they say this primarily shows up in enterprise versions of the operating system, not in the professional or the home versions, which is really interesting as well. Definitely impacting a lot of us out there. Just be aware of this issue this month. I apologize, I did you guys a disservice last month with the drop of Windows 10 and going into ESU. I failed to mention that there is still obviously support for the server versions that are part of the Windows 10 operating system kernel. There's also some obviously long-term service branch versions of Windows 10 as well that are continuing to be supported. I did include this slide back in here. Apologize for those of you who were on last month. We obviously have Server 2016, 2019, and Server 2022, which are all based on the Windows 10 kernel. Two less vulnerabilities than we saw on the Windows 11 side. There are only 35 addressed here that applied to these particular operating systems. Of course, interestingly enough, the known exploited and publicly disclosed vulnerabilities are the same. There is a reported issue. We did talk about this last month in Windows 11. But this month, it's only apparently part of the Windows 10 issue. This has to do with WSUS updates not showing the proper errors in their reporting. Microsoft said this is just a reporting issue. It's not necessarily a problem per se, and they're again taking a look at can they fix this. This reporting problem was around the changes that they made with the fix for this remote code execution vulnerability. It says they're still taking a look at this. We'll see what happens. This is applicable to both versions of Server 2022, the 23H2 version as well as the stock version, which is just 2022. Exchange Server this month, also just an important update. Again, two vulnerabilities were addressed, one related to spoofing, one related to elevation of privilege. They did drop support, as you're probably aware, for the other versions of Exchange Server. There's a 2016-2019. Interestingly enough, if you look in the security updates guide, they did provide what they're calling ESU updates for those two versions. I haven't figured that one out yet, but apparently they are still providing some updates. If you're running those, you may find some patches that are applicable on some of those older versions. But right now, as far as mainstream support on Exchange Server, they're only supporting the subscription edition. Microsoft Office as well. You'll see I put a bunch of these in italics here with an asterisk on them. Although they have said they have dropped support for Office 2016 in the updates this month, you'll continue to see some. I've included them here. Access, Excel, Office Suite as a whole, and Word 2016 all received individual updates. Online server is still going to have continued support through 2026. That's not part of the end of support there. There were 13 vulnerabilities that were addressed. A bunch of KB articles, you can go dig into those if you're looking for one of your particular applications and what was fixed. Again, 13 vulnerabilities that were fixed. They were all remote code execution vulnerabilities. That was interesting that they were all of a single type. Definitely, if you are running some of these older apps still, the good news is that you can continue to get an update this month. On the online versions or what we refer to as the click-to-run versions often, we did see updates for 365 apps. Again, Office 2019, even though it's been officially end of life, it did get an update this month and the long-term service channel 2021 and 2024 releases also received updates. Eleven vulnerabilities that were addressed here. Again, 2019 is beyond end of life, but it did get an update, so we get a little reprieve on that one if you're still running it. SharePoint server, we did see updates for all supported versions of SharePoint server. Five KBs covering the various versions here. CVEs that were addressed here were of the type remote code execution and spoofing. I did list them here. None of these are known to be publicly disclosed or exploited, so that's good to know. But it was rated critical because there were some critical CVEs that were addressed in there. Chris did talk about between the patch Tuesdays.
