Microsoft Fixes 69 Bugs, but None Are Zero-Days

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Fixes 69 Bugs, but None Are Zero-Days


The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.



Microsoft’s
Patch Tuesday security update
for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.
Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not
disclose any zero-days
, vulnerabilities that are already under active attack.
The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.
The critical elevation of privilege vulnerability in Microsoft SharePoint Server (
CVE-2023-29357
) was one of the bugs chained together in a successful exploit during the
Pwn2Own competition
, Dustin Childs, researcher with 
Trend Micros Zero Day Initiative (ZDI)
, wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.
Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDIs team had not yet tested the workaround but said that the best bet is to test and deploy the update as soon as possible.
The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (
CVE-2023-20363
,
CVE-2023-32014
,
CVE-2023-32015
) all have the same base severity score of 9.8 — and this is the third month that
Microsoft is addressing critical severity flaws in PGM
. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.
The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed.
Mitigations should not be considered substitutes for patching
, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.
The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (
CVE-2023-24897
), and the denial-of-service vulnerability in Windows Hyper-V (
CVE-2023-32013
).
There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them more likely to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (
CVE-2023-28310
) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.
Another remote code execution vulnerability in Exchange (
CVE-2023-32031
) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (
CVE-2022-41082
was a
zero-day flaw disclosed last September
and
patched in November
, and
CVE-2023-21529
patched in
Feburary
). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called
ProxyNotShell flaws in Exchange Server
and has been
used in ransomware attacks
in the past.
Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.
Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Fixes 69 Bugs, but None Are Zero-Days