ADVERTISEMENT

We help teams move faster The first project management platform built for users by users.

PATCH WATCH

By Susan Bradley

The October security updates include Copilot.

As I have alerted you before, if you have Windows 11 22H2 and live in North America or certain South American and Asian countries, Microsoft will be “dribbling” the “Chat for the operating system” update.

Never fear — you can disable this “feature.” I didn’t say remove or block, but rather disable.

In the European Union (EU), Copilot for Windows will probably be installed — but you won’t have the shortcut to it enabled, due to some EU digital rules. Expect Microsoft to make the changes necessary to bring it into compliance, at which point it will be enabled.

I’ve documented several ways to remove the short cut from your systems, but be aware that until you actually install the patch, the Group Policy option may not be available in your version of Windows 11 22H2. You may want to opt to use the registry key method, even if you have Windows 11 Pro. In the meantime, I urge you to check out the Windows Insider Webcast, which goes into details of Windows Copilot.

For those of you with Windows 11 21H2 still installed on your Home and Pro versions, remember this is the last patching that platform will see. (Windows 11 21H2 Enterprise and Education editions are supported to October 8, 2024.) Because 23H2 is right around the corner, use InControl to keep yourself on 22H2.

And, as I’ve also mentioned before, remember that Copilot will not be delivered to Windows 10.

Microsoft has issued a mea culpa of sorts regarding the Microsoft Backup application that works only with a consumer-based Microsoft account, because it is being shipped to every version of Windows 10 22H2. It should never have been installed in a network (managed) workstation setting, so the apology indicates that a means for IT pros to uninstall the app is forthcoming. I’m keeping my fingers crossed that the solution will be usable on home machines. We will see.

In the meantime, make sure you are on Windows 10 22H2 all the way until 2025. I am a firm believer that a computer works best on the operating system it was sold with, so if you bought it during the time of the Windows 10 release (and even if it supports Windows 11), move only if you have a need to upgrade to Windows 11. Windows 10 will be very stable and very quiet for the next two years. Enjoy the peace and quiet.

While Windows has been busy dribbling out Copilot, Microsoft’s Office team has been dribbling out a new Outlook, dubbed “Outlook (new).” Do not confuse this with Windows Mail, Outlook for the Web, or Outlook for the desktop. To say that this is confusing is an understatement. On one of my PCs, I have three icons in my Start menu without knowing exactly which one does what. (See Figure 1.)

Figure 1. Which Outlook is which?

The good news is you can Registry key it away. Or, if your version of Office is such that you can opt in to the Semi-Annual Enterprise Channel, you can ensure it stays safely off your machine until January 2024.

Normally, technology sites are about encouraging folks to try Beta or Insider versions and enable new features by using some hidden Registry key. As someone who uses Outlook on my desktop with several specialized COM-based add-ins, I’m wincing at the documentation stating that there are no plans to support COM/VSTO (Visual Studio Tools for Office) add-ins but instead to “enrich the Web Add-in platform.” It remains to be seen how well this goes over with Enterprises who, on a regular basis, have third-party tools that connect in to Outlook.

In a business setting, you can get rid of the button inside the Outlook desktop that allows you to try Outlook (new) by using the registry key method posted to the answers forum. You can also use various tools here to block as well. Note that this does not block the Web shortcut from being deployed. If you have launched Outlook (new), you can still use the old Outlook. Note that if the Microsoft instructions do not work, you can do a repair install of Office, and it will reinstall your desktop version.

Moving forward in the forum: If you have an issue with “Outlook,” don’t be surprised if we ask, “Which one?” Also look forward to Peter Deegan’s take on Outlook (new) two weeks from now.

Perhaps the most interesting patching-related event is that Office released no security updates this month. This doesn’t mean that Microsoft isn’t fixing or removing things. For example, if you have Outlook Desktop starting with Version 2311 Build 16929.15000, you’ll now need to look out the window to check on the weather. Weather is no longer displayed on the Calendar in Outlook.

When Microsoft announces that it is removing a long-standing app such as WordPad, I always wonder why. Is it that that the company recognizes it’s no longer secure and has done a risk analysis? Right after Microsoft announced that WordPad would be deprecated in September, it was patched for a security issue in October. CVE-2023-36563 discloses a vulnerability in which a malicious link could launch WordPad and leak NTLM credentials. I don’t see this as much of a risk in standalone and peer-to-peer networks; but in a business setting, anything that allows attackers to harvest credentials must be taken seriously.

As always, ensure that your browsers are up to date on all devices, including any Linux distro. I am now tracking the DuckDuckGo browser and will report about it in an upcoming newsletter.

I don’t anticipate seeing any major issues in this month’s releases because most of the attacks and patching are targeted to business users. That said, I still don’t recommend updating at this time. Keep your eye on the Master Patch List for updates.

For those of you with a new iPhone 15, install updates as soon as they are offered. Apple is in bug-squashing mode at this time. For older phones, upgrade to version 16.7.1 for both iOS iPad OS.

Before getting into the interesting patches of the month, I want to emphasize that this is the last month of updates for Server 2012 and 2012 R2. You can opt for 0Patch or plan on upgrading and migration. See resources at this page on our site.

I’m focusing on Windows, but be aware that our next bug actually impacted other operating systems as well. CVE-2023-44487, a Distributed Denial of Service (DDoS) attack against HTTP/2, impacts Internet Information Services (IIS) in Windows as well as Apache Web servers. Cloudflare has a write-up on the massive denial of service attacks it has seen. Microsoft has specifically recommended one of two registry keys to limit RST_STREAMS per minute, depending on your needs. Bottom line: You must test to see what works for your Web servers or whether you have other mitigations in place. You can even disable the HTTP/2 protocol as per this security guide.

Be aware that the registry keys noted for Server 2022 (KB5031364) are different from what is noted in the KBs for Server 2019 (KB5031361) and Server 2016 (KB5031362). Specifically, the default value of Http2MaxClientResetsPerMinute is 400 on a Server 2022 whereas on 2019 and 2016 the value is 500. In addition, Server 2022 has a new registry key:

Have your Web gurus look over what is best for you.

The only other exploited bug this month is a Skype for Business Server vulnerability, an elevation of privilege attack. Given that many of us no longer run our own Skype for Business servers, this won’t be a huge concern. Of bigger concern to those who are still patching on-premises Exchange servers is yet another Exchange patch, released in October. If you’ve had some performance issues, you’ll want to check out the Exchange blog for more details.

The new Teams client is currently in preview and will be rolling out as well. If you are using Teams for the Web, you’ll start to see this hit the Chrome/Edge deployments starting in mid-November. You’ll want to review your situation and ensure you are ready for the update for Teams.

If you are using the slower patching channel (my recommendation) for Microsoft 365, and you are on the Semi-Annual Enterprise Channel, “new” teams won’t come to that version until January 2024 and won’t be the default until March 2024.

There are 20 Message Queuing patches, and a remote unauthenticated attacker could launch code and run attacks accordingly. Therefore, if you have port 1801 open at your perimeter, this could be a wormable attack. But of course, no one has 1801 port open — right? Right? If you are unsure, a quick and easy way to check is to go to ShieldsUP!, click Proceed. Then, in the SheildsUP!! Services section, enter 1801 and click User Specified Custom Port Probe. You should find it stealth or closed.

If you’ve noticed above, we are dealing not only with watching out for security-patch side effects but also the impact of changes to our default applications being rolled out through Microsoft’s beloved dribbles or phased-in process. Change is disruptive and impacts productivity. I’ll be making sure I alert you to upcoming phase-ins as well as the traditional issues caused by patching. As with anything, always make sure you have a plan to roll back from an update — or, these days, from a dribbled change that you or your users don’t want. Being sure you can roll back from any change ensures that you also know how to deal with ransomware’s impact.

When the world turns tense and uncertain, attackers take advantage of circumstances to use the digital weapons at their fingertips. In the recent Microsoft Digital Defense Report 2023, Microsoft noted:

Nation‑state actors were not alone in stepping up their abuse of the digital ecosystem. Well‑resourced cybercriminal syndicates also continue to grow and evolve, leveraging the cybercrime-as-a-service ecosystem we highlighted last year. Ransomware‑as‑a-service and phishing-as-a-service are key threats to businesses and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources.

They go on to point out that the bulk of attacks would be protected with multifactor authentication, along with ensuring that you are up to date on operating system, firmware, and applications. As always, I want you to install updates, but not until the bugs and side effects are identified and understood.

Resources

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.