Microsoft June Security Update Targets 6 'Critical' Holes
Microsoft's monthly cumulative security update arrived on Tuesday with 69 bulletins to address vulnerabilities across the company's product and service line.
While June's batch is almost double March's 38 bulletin release, the good news is that this month does not include any zero-day flaw fixes, as last month's had three. Microsoft is issuing six bulletins rated "critical" to go along with the remaining 63 items, and IT should prioritize these six patches first.
A highlight of this month is CVE-2023-29357, a fix for a SharePoint Server elevation of privilege flaw that was discovered during March's Pwn2Own Vancouver security contest. According to Microsoft, if an attacker gains access to a spoofed JSON Web Token, an attack can be leveraged that could bypass authentication to grant access to a system.
Attacks could also go far beyond system access, said Dor Segal, senior research tech lead at security firm Silverfort. "It’s currently unclear whether the access permissions are to the SharePoint application or to the server itself, meaning the impact of any exploitation attempts could range from data theft to initial access into a domain environment. This would explain its high CVSS score [of 9.8]."
Microsoft has also pointed out that some users may already be protected from this flaw, saying that those who have "enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability."
For the third patch releases in a row, Microsoft is addressing remote code execution issues in the Windows Pragmatic General Multicast (PGM). This month sees three critical bulletins (CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015) issued to address the repeat offending issue.
If gone unpatched, they can enable remote and unauthenticated attackers to execute code on systems where the message queuing service operates in the PGM Server environment. And these should not go unpatched, as all three come with the alarming CVSS score of 9.8. All three bulletins affect all currently supported Windows OS and Windows Server versions.
The fifth critical item this month, CVE-2023-24897, also deals with a remote code execution vulnerability -- this time in Microsoft .NET Framework and Visual Studio. While details are sparse, Dustin Childs, of the Zero Day Initiative blog, theorizes that its critical rating may be connected to security software's inability to spot an oncoming attack. "It's an open-and-own sort of exploit, but guessing by the Critical rating, it appears there are no warning dialogs when opening the dodgy file," wrote Childs.
Finally, this month's last critical item is CVE-2023-32013, a denial of service vulnerability in Windows Hyper-V. According to the bulletin, "successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability." Microsoft said those running any currently supported versions of Windows OS and Windows Server are at risk.
The full list of this month's bulletins can be found here.