Microsoft has released its Patch Tuesday security update for June 2023, which includes patches for a total of 69 vulnerabilities across its suite of products and software. Among the flaws fixed in this update are several that were initially discovered during the Zero Day Institute’s Pwn2Own competition earlier this year in Vancouver.
Out of the 69 vulnerabilities, Microsoft has identified six as being of critical severity and 62 as important. Only one vulnerability is rated as moderate in severity. Interestingly, Microsoft did not disclose any zero-day vulnerabilities in this month’s update, which are vulnerabilities that are already under active attack.
The security updates address various issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.
One of the critical vulnerabilities patched this month is a privilege elevation vulnerability in Microsoft SharePoint Server (CVE-2023-29357). This vulnerability was actually part of a successful exploit chain during the Pwn2Own competition. An attacker could potentially gain administrator privileges on the SharePoint Server by using spoofed JSON Web Token (JWT) authentication tokens, without requiring any user interaction. This vulnerability affects both SharePoint Enterprise Server 2016 and SharePoint Server 2019. In response, Microsoft has recommended that on-premises customers enable the AMSI feature to mitigate this vulnerability.
Another set of critical vulnerabilities that organizations should prioritize patching are the three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015). These vulnerabilities have a base severity score of 9.8 and have been consistently addressed by Microsoft for three consecutive months. They allow a remote, unauthenticated attacker to send a specially crafted file over the network and execute malicious code in a Windows PGM server environment. Although PGM is not enabled by default, many organizations have it in their environment for applications like video streaming and online gaming. To mitigate this vulnerability temporarily, administrators can check if the Message Queuing service is running on TCP port 1801 and disable it if not needed.
Two other critical vulnerabilities that should be prioritized in the patching process are a remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and a denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).
Apart from the critical vulnerabilities, researchers also recommend prioritizing several vulnerabilities that are considered “more likely” to be exploited. For example, there is a remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) that would allow an authenticated attacker on the same intranet as the Exchange Server to launch a PowerShell remote session and execute arbitrary code. Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. It is important to address these vulnerabilities as attackers could potentially chain them as part of a larger campaign to steal credentials or gain elevated privileges on the network.
In conclusion, Microsoft’s Patch Tuesday update for June 2023 addresses a significant number of vulnerabilities across its products and software. While there were no zero-day vulnerabilities disclosed this month, organizations should prioritize patching the critical vulnerabilities, as well as those that are considered “more likely” to be exploited. Implementing these security updates will help protect systems and prevent potential attacks from exploiting these vulnerabilities.