Microsoft has addressed six critical vulnerabilities in this month’s Patch Tuesday which, for the first time since March 2022, did not feature any new zero-day bug fixes.
The critical vulnerabilities addressed in this month include four remote code execution bugs: three in Windows Pragmatic General Multicast and one in .NET/Visual Studio.
The other two critical vulnerabilities were a SharePoint elevation of privilege bug and a denial-of-service bug in Microsoft’s Hyper-V server (CVSSv3 score of 6.5).
It also included patches for a further 67 CVEs that were rated as less than critical, along with 22 previously released third-party fixes Microsoft added to its Security Update Guide.
Of the six bugs rated as critical, the SharePoint vulnerability (CVE-2023-29357) was the only one flagged by Microsoft as “exploitation more likely”, meaning it should be a priority for security teams to address. It has a very high CVSSv3 score of 9.8 and, while it has not been spotted in the wild, allows attackers to use spoofed JSON web tokens to gain Administrator privileges on the SharePoint host.
The three critical remote code execution vulnerabilities in Windows PGM – CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 – also had CVSS scores of 9.8. They would allow an attacker to attempt to trigger malicious code by sending a specially crafted file over the network when Windows’ message queuing service is running in a PGM server environment.
Adam Barnett, lead software engineer at security vendor Rapid7, said June was the third month in a row to include at least one critical RCE bug in Windows PGM.
“Microsoft hasn’t detected exploitation or disclosure for any of these, and considers exploitation less likely [than the SharePoint vulnerability], but a trio of critical RCEs with a base [severity] score of 9.8 will deservedly attract a degree of attention,” he said.
“As with previous similar vulnerabilities, only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t enabled by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine.”
Exploitation of the .NET/Visual Studio critical vulnerability (CVE-2023-24897), with a CVSS score of 7.8, requires an attacker to entice the victim into opening a specially-crafted malicious file, usually from a website, Barnett said.
“Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years.”
In a June Patch Tuesday blog post, Dustin Childs of Trend Micro’s Zero Day Initiative said the bug appeared to impact all supported versions of .NET, .NET Framework, and Visual Studio.
“It’s an open-and-own sort of exploit, but guessing by the Critical rating, it appears there are no warning dialogs when opening the dodgy file,” he said.
The Windows Hyper-V DoS vulnerability (CVE-2023-32013) had a CVSS score of 6.5. “The Critical rating here implies a guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition,” Childs said.
The other 61 non-critical vulnerabilities covered by Microsoft this month spanned a range of environments and solutions including Windows, Office, Exchange Server, Visual Studio, Teams, Azure DevOps, Dynamics and Remote Desktop Client.
As with the critical vulnerabilities, RCE bugs featured prominently, accounting for 22 – or more than a third – of the CVEs rated “important.”
“This volume of fixes is slightly larger than the typical number of fixes for June, but not extraordinarily so,” Childs said.
“July tends to be a larger month as it is the last patch Tuesday before the Black Hat USA conference. It will be interesting to see if this trend continues.”
