Microsoft has fixed 78 vulnerabilities on June 2023 Patch Tuesday bringing the month’s total up to 94 including the 16 vulnerabilities in Chromium-based browsers that were patched on June 2, 2023. None of this month’s patches address vulnerabilities that are currently being exploited in the wild nor are any fixes included for zero-day bugs.
This month’s updates address 6 flaws that have been rated critical and 70 vulnerabilities that are rated important. The 6 critical flaws affect .NET and Visual Studio, Windows Hyper-V, Microsoft Office SharePoint, and three affect Windows Pragmatic General Multicast (PGM).
The Microsoft Office SharePoint flaw is an elevation of privilege vulnerability tracked as CVE-2023-29357, which has a CVSS 3.1 base score of 9.8, and is the most serious of the critical flaws with exploitation more likely. Exploitation of the flaw would allow a malicious actor to gain administrator privileges, with no privileges or user interaction required to exploit the flaw. According to Microsoft, “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user.” The attacker needs no privileges nor does the user need to perform any actions to allow the flaw to be exploited.
3 remote code execution vulnerabilities have been fixed in Windows PGM (CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015), although Microsoft considers these vulnerabilities less likely to be exploited, however, all three have a CVSS 3.1 base score of 9.8. The flaws can all be exploited by an attacker by sending a specially crafted file over the network. The flaws can only be exploited if Windows Message Queuing Service is enabled.
The .NET and Visual Studio vulnerability, tracked as CVE-2023-24897, can be exploited by a malicious actor by convincing a user to open a maliciously crafted file, such as via a website or email. If exploited, an attacker could remotely execute arbitrary code. Microsoft also considers this flaw to be less likely to be exploited.
The Windows Hyper-V flaw, tracked as CVE-2023-32013, is a denial-of-service vulnerability that is also considered to be less likely to be exploited. An attacker would be required to prepare the environment to make the exploit more reliable.
Two Microsoft Exchange Server remote code execution vulnerabilities have been patched that have both been rated important; however, Microsoft expects both vulnerabilities to be targeted. To exploit the flaws, the attacker would need to be authenticated which would allow them to trigger malicious code in the context of the server’s account through a network call. The vulnerabilities are tracked as CVE-2023-28310 (CVSS 3.1 8.0) and CVE-2023-32031 (CVSS 3.1 8.8).
Remote code execution vulnerabilities have been fixed in Microsoft Office, that could be exploited to remotely execute code. One flaw is fixed in Microsoft Outlook, tracked as CVE-2023-33131, which has a CVSS 3.1 base score of 8.8. Three remote code execution vulnerabilities have been fixed in Excel – CVE-2023-33137, CVE-2023-32029, and CVE-2023-33133 – each of which has a CVSS 3.1 severity score of 7.8, all of which can be exploited if a user can be convinced to open a specially crafted file.
A spoofing vulnerability has been fixed in OneNote that is tracked as CVE-2023-33140 and has a CVSS 3.1 base score of 6.5. Exploitation of the vulnerability requires a user to open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker. An RCE vulnerability has also been fixed in Microsoft Office, CVE-2023-33146 (CVSS 7.8), that can be exploited by tricking a user into running malicious files, but while the attacker can exploit the flaw remotely, they would need to execute malicious code from the local machine.