Microsoft Fixes 69 Bugs, but None Are Zero-Days

Microsoft’s Patch Tuesday security update for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.

Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not disclose any zero-days, vulnerabilities that are already under active attack.

Prioritizing Patches for Critical Bugs

The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.

The critical elevation of privilege vulnerability in Microsoft SharePoint Server (CVE-2023-29357) was one of the bugs chained together in a successful exploit during the Pwn2Own competition, Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDI's team had not yet tested the workaround but said that the "best bet is to test and deploy the update as soon as possible."

The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015) all have the same base severity score of 9.8 — and this is the third month that Microsoft is addressing critical severity flaws in PGM. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.

The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed. Mitigations should not be considered substitutes for patching, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.

The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and the denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).

Prioritize the "More Likely" to Be Exploited Ones, Too

There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them "more likely" to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.

Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (CVE-2022-41082 was a zero-day flaw disclosed last September and patched in November, and CVE-2023-21529 patched in Feburary). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called "ProxyNotShell" flaws in Exchange Server and has been used in ransomware attacks in the past.

Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.

Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.