Microsoft has released its June 2023 Patch Tuesday update, which addresses 78 security flaws, including 38 remote code execution (RCE) vulnerabilities. Out of the 38 RCE bugs fixed, Microsoft classified only six as 'Critical,' covering denial of service attacks, remote code execution, and privilege elevation. The breakdown of vulnerabilities in each category is not included in this summary. The list also excludes the sixteen Microsoft Edge vulnerabilities that were resolved on June 2nd, 2023. This Patch Tuesday update does not contain any zero-day vulnerabilities or actively exploited bugs, easing some of the stress typically experienced by Windows administrators during this time.
While the June 2023 Patch Tuesday does not fix any zero-day vulnerabilities, some notable flaws are addressed, such as CVE-2023-29357 - Microsoft SharePoint Server Elevation of Privilege Vulnerability. Microsoft has resolved a privilege elevation vulnerability in Microsoft SharePoint that could enable attackers to take on the privileges of other users, including administrators. According to Microsoft's advisory, "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user." Although Microsoft reports the bug is actively exploited, no details on how it was abused are available. The vulnerability was discovered by Jang (Nguyễn Tiến Giang) of StarLabs SG.
Another significant flaw addressed is CVE-2023-32031 - Microsoft Exchange Server Remote Code Execution Vulnerability. Microsoft has fixed a Microsoft Exchange vulnerability that permits authenticated, remote code execution. Microsoft's advisory states, "The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call."
Additionally, Microsoft has released several Microsoft Office updates for vulnerabilities that allow threat actors to use maliciously crafted Excel and OneNote documents to perform remote code execution. These vulnerabilities are tracked as CVE-2023-33133 (Excel), CVE-2023-33133 (Excel), CVE-2023-33137 (Excel), CVE-2023-33140 (OneNote), and CVE-2023-33131 (Outlook). The OneNote and Outlook flaws necessitate a user to click on a link in the malicious file or email.
Other vendors who released updates or advisories in June 2023 are not mentioned in this summary. The full list of resolved vulnerabilities in the June 2023 Patch Tuesday updates can be found in the original article, which also provides access to the complete description of each vulnerability and the affected systems.