In its latest Patch Tuesday release, Microsoft has unveiled a comprehensive set of security updates to address a total of 70 vulnerabilities. This batch of updates includes critical fixes for Windows, SharePoint, Visual Studio/.NET, and other Microsoft products.
“This month’s Patch Tuesday includes fixes for 70 CVEs (we’ve omitted the AutoDesk and GitHub CVEs from our count). Of the 70 CVEs patched this month, there are six rated critical, 62 rated important, one rated moderate and one rated low. This month marks the first time that there were no zero-days patched – either publicly disclosed or exploited in the wild,” noted Satnam Narang, sr. staff research engineer at Tenable.
Expanded Scope of Patch Tuesday Announcements
In an unusual occurrence, Microsoft also provided information on 25 patches from external sources such as Chromium (Google), GitHub, and Autodesk, alongside its own patches.
Among these, 17 patches address vulnerabilities in the Edge browser, originating from both Google and Microsoft.
One of these patches, CVE-2023-3079, addresses a V8 type-confusion issue known to be actively exploited in the wild. The V8 engine is developed by the Chromium Project and used in various applications, including Edge.
None of the addressed vulnerabilities have been publicly disclosed at the time of patch release, except for the information-only patches disclosed earlier.
However, Microsoft warns that eight of the addressed issues are likely to be exploited in the near future, within the next 30 days, in either the latest or earlier versions of the affected products.
Notably, Microsoft does not provide guidance on the likelihood of exploitation in earlier versions compared to the latest versions for any of their patches.
Vulnerability Details and Impact
Two remote code execution vulnerabilities were patched this month in Microsoft Exchange Server, which has been a ripe target for attackers over the last few years,” added Satnam.
Both flaws are rated as important but are considered more likely to be exploited compared to some of the other vulnerabilities patched this month.
Unlike past Microsoft Exchange Server flaws that were rated higher and did not require authentication, these vulnerabilities require an attacker to be authenticated. That said, attackers can still potentially exploit these flaws if they’re able to obtain valid credentials, which is not as difficult as you’d expect,” he concluded.
Patch Statistics and Trends
The latest Patch Tuesday release continues to highlight the prevalence of remote code execution vulnerabilities, accounting for 26 of the addressed Common Vulnerabilities and Exposures (CVEs).
Remote code execution vulnerabilities pose a significant risk as they allow attackers to execute malicious code on a targeted system, potentially leading to unauthorized access, data breaches, or system compromise.
Elevation of privilege vulnerabilities follow closely with 17 CVEs addressed in the update.
Exploiting elevation of privilege vulnerabilities enables attackers to gain higher levels of access or permissions than originally intended, granting them increased control over the compromised system.
This type of vulnerability is often exploited as part of a multi-stage attack to achieve greater control and persistence within a targeted network.
Other vulnerabilities addressed in the Patch Tuesday release include denial of service, spoofing, information disclosure, and security feature bypass.
Denial of service vulnerabilities can disrupt services and render systems unresponsive, while spoofing vulnerabilities allow attackers to impersonate legitimate entities and deceive users.
Information disclosure vulnerabilities may expose sensitive data, and security feature bypass vulnerabilities can undermine the effectiveness of built-in security mechanisms.
Windows remains the most heavily targeted product family, with over half of the patches aimed at addressing vulnerabilities within the operating system.
This highlights the importance of prioritizing Windows security updates to ensure the protection of critical systems and data.
As of June 2023, Microsoft has released a total of 450 security updates, underscoring the company’s commitment to proactive security measures and ongoing protection of its products.
