Microsoft’s Patch Tuesday for July
On Tuesday, July 11, Microsoft released updates to address more than 130 security issues for its products including Windows, Office, .NET and Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Microsoft DNS Server, and Remote Desktop. Of those vulnerabilities, nine are rated critical, and several are being actively exploited.
Nine of the updates are rated as critical, six of which are being actively exploited in the wild. Realistically, it's long past cherry-picking which updates to apply. Focus instead on rapid deployment to commodity systems and regression testing for mission impact systems, reserving a small interval for patches which are pulled back or updated.
I am somewhat alarmed by the number of patches this month and the breadth of how many products. There are a lot of RCEs in this one, and one is related to Azure AD, which is interesting. How much testing is this going to require? I’ll leave it at that; we are not writing less code. More code, more likelihood of bugs.
Back in 2021, there were several months where Microsoft had to release patches for over 100 security issues. While it would be great to see a long-term trend of fewer flaws in production software, we really are not yet near hitting the knee in that curve – as evidenced by the number of times browsers update themselves, how frequently cloud services are updated, and all the vulnerabilities being found now in security products. Just like fleet owners have to forever budget and plan for maintenance, repair and down time, the same is going to be true for software for a long time to come.
An above average patch Tuesday for Microsoft. If you haven’t done so already, prioritize patching of the actively exploited vulnerabilities first, followed by the remainder of the critical vulnerabilities. As always, review Microsoft advisories for additional mitigation details.
The number of patches per unit time is a useful measure of software quality. It is also a measure of the developer's ability to find vulnerabilities. One would expect the number to go down over time. It is not. Moreover, patching is a very expensive way to achieve quality. We are doing something wrong.
William Hugh Murray
Read more in
ISC SANS: July 2023 Microsoft Patch Update
Krebs on Security: Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft: Updates this Month