Mitigations and workarounds
Microsoft released the following vulnerability-related mitigation:
- CVE-2024-26232: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Microsoft helpfully notes that the MSMQ feature is rarely needed and can be disabled, reducing exposure to this vulnerability. Yep.
Each month, the Readiness team analyzes the latest updates and provides detailed, actionable testing guidance; the recommendations are based on a large application portfolio and detailed analysis of the patches and their potential impact on Windows and apps.
For this release cycle, we grouped the critical updates and required testing efforts into functional area including:
File management
- Test scenarios involving tar.exe or the native support of archives in Windows.
- Test end-to-end scenarios involving File Management Tasks and Storage Reports Management.
Crypto (local security mechanisms)
- Test scenarios that utilize Crypto APIs. Please pay special attention to any operation that relies on CryptDecodeObject or CryptDecodeObjectEx.
- Test your cryptographic operations and key generation, particularly in VTL1 environments.
- Test out variations of replications on different types and sizes of files and folders.
Networking (DHCP and DNS)
- Test functional scenarios where Client DUID is a required parameter.
- Send Message with VendorOption of DomainName.
- Check whether the client UID is provided to the RPC API.
- Test DNS virtual instance and zone management scenarios.
Remote desktop and connections
- Test out point-to-point connections and RRAS servers using the MPRAPI protocols.
- Test your VPN connections with a connect/disconnect, delete and repeat test cycle.
Automated testing will help with these scenarios (especially a testing platform that offers a “delta” for comparison between builds). However, for your line-of-business apps getting the application owner (doing UAT) to test and approve the results is absolutely essential.
There have been a large number (24 of this month’s total of 164) of updates to Microsoft SQL components in Windows and to how OLE operates with other Windows features. Applications that require these kinds of “cooperative” interactions are generally complex line-of-business applications. Trouble-shooting these update scenarios requires specialist application expertise and can be very time consuming.
To prevent downtime, expensive faults and potentially damaging compliance issues, we fully recommend an audit of your application portfolio, identifying SQLOLE, OLEDB, and ODBC dependencies with an assessment and testing plan before general deployment of this month’s patches.