Patches Issued by Microsoft; Your Turn to Patch 

Microsoft has released significant software updates to address essential security vulnerabilities in its Windows operating system and related components. These updates, part of the monthly Patch Tuesday cycle, cover approximately 70 known vulnerabilities in the Windows ecosystem.

ThreatLabz researchers were able to bypass the patch that addressed 97 vulnerabilities (CVE-2023-29344) in Microsoft Office. The latest patch addresses these vulnerabilities (CVE-2023-33146), but unfortunately disables the ability to add SketchUp 3D graphics to Office documents. pic.twitter.com/NOm6YWnEzq

— Zscaler ThreatLabz (@Threatlabz) June 13, 2023

Among them are six critical issues that could allow attackers to execute malicious code on affected systems. Microsoft states that none of these vulnerabilities have been publicly disclosed or exploited.

Discovering the new threats

Of particular concern are three highly critical bugs in Windows Pragmatic General Multicast (PGM), a protocol used for reliable packet delivery among multiple network members. These vulnerabilities, identified as CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, carry a severity score of 9.8 out of 10, according to the Common Vulnerability Scoring System (CVSS). 

Source: NIST

Exploiting these bugs could enable remote unauthenticated attackers to execute arbitrary code on vulnerable systems. It is emphasized that while PGM is not commonly enabled by default, it is still an uncommon configuration.

Source: Zero-day initiative

Another noteworthy vulnerability is CVE-2023-32021, a remote code execution bug in Microsoft Exchange Server. Although this exploit requires the attacker to have an account on the Exchange server, successful exploitation could result in executing code with SYSTEM privileges.

Source: Tenable

In addition to the Windows vulnerabilities, attention is also drawn to CVE-2023-3079, a confusion flaw in Chrome (Chromium) that malware attacks have already exploited. The June patch batch from Microsoft coincides with Adobe’s release of critical patches for multiple products, including Adobe Commerce (formerly Magento), which has been identified as having a dozen vulnerabilities that could lead to code execution attacks.

Source: NIST

Forward thoughts

The Patch Tuesday is something commendable and must not stop. Microsoft has made the public aware of the vulnerabilities, security threats, and exploitations that must be known and mitigated. For more information about this report, watch.