Patch Tuesday April 2023: Microsoft Local Administrator Password Solution and M365 Apps Manual Updates   

April showers bring May flowers, and Patch Tuesdays bring new vulnerabilities that need to be weeded out of our gardens. Microsoft is giving sysadmins plenty to add to their spring cleaning chores with a selection of remote code execution vulnerabilities for Microsoft Office and Microsoft 365 Apps (CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311). Even though these vulnerabilities aren’t under active exploitation yet, they should still be a priority because of their large deployment base. Adding a little challenge here, sysadmins should review how they apply updates as they may be missing out on the use of Microsoft’s Click-to-Run functionality to keep M365 Apps properly updated.

Microsoft Vulnerabilities

Of the 103 vulnerabilities receiving fixes this month, five are updates to previous fixes. CVE-2022-43552, CVE-2022-26923, CVE-2013-3900, CVE-2022-34716, and CVE-2022-38023 all received updates with CVE-2022-38023 needing some additional attention from sysadmins and domain admins concerning Netlogon protocol changes. There is also a new zero-day vulnerability: CVE-2023-28252. This is under active exploitation, but it should be easy to deal with as it is addressed in Monthly Rollup, Security Updates or CUs.

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Find out more

Microsoft 365 Vulnerability Fixes and Click-to-Run

Microsoft Office and M365 apps also received fixes for multiple vulnerabilities (CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311), but depending on how you apply updates and patches the fixes may not be included in your regular patching routine. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners to use to update and check Microsoft 365 versions that leverages Microsoft’s Click-to-Run executable included in all installs of M365 apps:

• Download Microsoft 365 Update with Version Check for N‑sight
• Download Microsoft 365 Update with Version Check for N‑central

Also, as a reminder March’s Microsoft Patch Tuesday made updates to how DCOM servers handle authentication. If you deferred last month’s updates until this month and you’re seeing any network communication problems with legacy applications, it could be tied to KB5004442 now forcing DCOM servers to use more robust authentication with no option to revert to less secure options.

Microsoft adds new Windows LAPS

A new integrated version of LAPS (Local Administrator Password Solution) was also part of this month’s Microsoft Patch Tuesday release. LAPS allows you to secure the local administrator accounts on Windows domains and Azure AD joined devices. This is a valuable tool for any MSP that needs to secure local administrator accounts with rotating passwords managed by AD. If you’re reading this and you don’t know how your organization and clients secure local administrator accounts then you have some additional reading to do on LAPS. You can find out how it can significantly improve the resiliency of environments against the use of compromised credentials and session replays to make lateral movements within an environment, by reading this blog Microsoft has written to help understand LAPS.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd