Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.
Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderate, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser.
It's worth noting that Microsoft also closed out 26 other flaws in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises CVE-2023-3079, a zero-day bug that Google disclosed as being actively exploited in the wild last week.
The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release.
Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePoint Server that could be exploited by an attacker to gain administrator privileges.
"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft said. "The attacker needs no privileges nor does the user need to perform any action."
Also patched by Redmond are three critical remote code execution bugs (CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, CVSS scores: 9.8) in Windows Pragmatic General Multicast (PGM) that could be weaponized to "achieve remote code execution and attempt to trigger malicious code."
Microsoft previously addressed a similar flaw in the same component (CVE-2023-28250, CVSS score: 9.8), a protocol designed to deliver packets between multiple network members in a reliable manner, in April 2023.
Also resolved by the tech giant are two remote code execution bugs impacting Exchange Server (CVE-2023-28310 and CVE-2023-32031) that could permit an authenticated attacker to achieve remote code execution on affected installations.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Google Chrome
- Hitachi Energy
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Mitsubishi Electric
- MOVEit Transfer
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electric
- Trend Micro
- Zoom, and