Microsoft has released fixes for the Windows operating system and other software components to fix major security flaws as part of Patched Tuesday update for June 2023.
Of the 73 deficiencies, six were rated Critical, 63 were rated Important, two were rated Moderate, and one was rated Low in severity. It also covers three issues that the tech giant tackled in its Chromium-based Edge browser.
It should be noted that Microsoft is also closing 26 other deficiencies on Edge – all rooted in Chromium itself – since the release of the May Patch Tuesday update. It consists of CVE-2023-3079, a zero-day bug that Google disclosed as being actively exploited in the wild last week.
The June 2023 update also marked the first time in months that it didn’t feature any zero-day flaws in Microsoft products that were either publicly known or under active attack at the time of release.
Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePoint Server that could be exploited by an attacker to gain administrator privileges.
“An attacker who has gained access to a spoofed JWT authentication token could use it to execute network attacks that bypass authentication and allow them to gain access to authenticated user privileges,” Microsoft said. “The attacker doesn’t need any special privileges nor does the user need to take any action.”
Also patched by Redmond are three critical remote code execution bugs (CVE-2023-29363, CVE-2023-32014And CVE-2023-32015CVSS score: 9.8) in Windows Pragmatic General Multicast (PGM) which can be armed to “achieve remote code execution and attempt to trigger malicious code”.
Microsoft previously addressed a similar flaw in the same component (CVE-2023-28250CVSS score: 9.8), a protocol designed to reliably transmit packets between multiple network members, as of April 2023.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Also resolved by the tech giant are two remote code execution bugs impacting Exchange Server (CVE-2023-28310 And CVE-2023-32031) which could allow an authenticated attacker to achieve remote code execution on the affected installation.
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors over the past few weeks to fix several vulnerabilities, including —