Although there have been no reports of zero-day flaws, Microsoft's April Patch Tuesday release included 149 updates.
Microsoft released 149 updates in this month's Patch Tuesday release, though there were no reports of public disclosures or other zero-days for the Microsoft ecosystem (Windows, Office, .NET). This update is very large, complex and will require some testing time, especially for the OLE, ODBC and SQL focused updates and their impact on complex applications.
Microsoft also moved to make it easier to understand security-related CVE entries much easier by adopting the new CWE vulnerability reporting standard. The team at Application Readiness has provided this infographic detailing the risks associated with the April updates.
Known issues
Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle, including these two reported minor issues:
- After you install KB5034203 or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is actively working on this issue, and so we should expect an update soon.
- Some users of Windows Server 2008 will see messages that say, "Failure to configure Windows updates. Reverting Changes. Do not turn off your computer," when attempting to update legacy devices. This may be a result of an improperly configured ESU configuration. Microsoft has recently updated its guidelines on acquiring and configuring ESU keys, which may help those still struggling.
Major revisions
This month, Microsoft published these revisions to past updates:
- CVE-2022-0001: Branch History Injection. Reason for revision: Corrected one or more links in the FAQ. This is an informational change only. No further action required.
- CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability: Updated FAQs to include information on how to be protected from this vulnerability for customers running Windows 11 23H2 or Windows Server 2022, 23H2 Edition. No further action required.
- CVE-2013-3900: WinVerifyTrust Signature Validation Vulnerability.
Microsoft has updated the FAQ documentation to inform customers that EnableCertPaddingCheck is data type REG_SZ (a string value) and not data type dword. When you specify 'EnableCertPaddingCheck" as in "DataItemName1