What just happened? Microsoft has released its June 2023 Patch Tuesday update with fixes for 78 security flaws, including 38 remote code execution (RCE) vulnerabilities in Windows and Windows Components, Office and Office Components, Exchange Server, Edge browser, SharePoint Server, .NET and Visual Studio, Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.
Six out of the thirty-eight RCE bugs were listed as 'critical,' including some that could potentially lead to denial of service (DoS) attacks and privilege elevation. As noted by Bleeping Computer, the Patch Tuesday does not fix any zero-day vulnerabilities, but it is still an important update, given the sheer number of flaws it fixes, including many that have been categorized as 'critical.'
The list of patched bugs includes 17 privilege elevation vulnerabilities, 2 security feature bypass vulnerabilities, 32 RCE vulnerabilities, 5 information disclosure vulnerabilities, 10 DoS vulnerabilities, 10 spoofing vulnerabilities, and 1 Edge vulnerability stemming from a flaw in the Chromium code base. However, it does not include the 16 Edge flaws that were fixed via a security bulletin rolled out earlier this month.
One of the more notable flaws that has been addressed by the latest Patch Tuesday is a privilege elevation vulnerability in Microsoft SharePoint, tracked as CVE-2023-29357. According to Microsoft, the vulnerability enabled attackers to take on the privileges of other users, including administrators. The bug was reportedly being actively exploited in the wild, but there are no details about it as of now.
Another notable bug quashed with the incoming update is a Microsoft Exchange remote code execution vulnerability, tracked as CVE-2023-32031. The bug reportedly permits authenticated, remote code execution, and according to Microsoft's advisory, allows the attacker to "trigger malicious code in the context of the server's account through a network call." Unlike the SharePoint bug, however, there's no report of it being exploited in the wild.
Apart from the aforementioned bugs, Microsoft also patched a number of vulnerabilities in Office components, including Excel, Outlook and OneNote. According to the company, some of these allowed attackers to use malicious crafted Excel and OneNote documents to perform remote code execution. Overall, the June 2023 Patch Tuesday update brings a number of important patches for Microsoft products, so download and install it on your device as soon as possible to maintain your online security.
Meanwhile, in related news, Windows 10 version 21H2 reached end of service (EoS) this week, meaning Microsoft will no longer release updates for that version of Windows 10 Home, Pro, Pro Education and Pro for Workstations. People running the outdated version should update their systems to Windows 10 version 22H2, which will be supported until October 2025.