Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.
June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”
Top of the list on that front is CVE-2023-29357, which is a “critical” bug in Microsoft SharePoint Server that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).
“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”
There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the Windows Pragmatic General Multicast (PGM), which is used for delivering multicast data — such as video streaming or online gaming.
Security firm Action1 says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.
It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using Microsoft Exchange for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.
Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.
“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit.…
The last of the three men said to be responsible for infecting Windows computers with the banking trojan Gozi has been sentenced to three years.…
Webinar It seems no longer possible to imagine whether it's just a case of if a security breach will occur within your organization, or if malicious actors will exploit a vulnerability to play havoc with your data. Rather, it's just a question of when.…
Updated Office Open XML (OOXML) Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed.…
Sponsored Feature When military historians come to chronicle the first 15 months of the Russian invasion of Ukraine, they won't find any shortage of battlefront bulletins to inform their accounts.…
Two more organizations hit in the mass exploitation of the MOVEit file-transfer tool have been named – the Minnesota Department of Education in the US, and the UK's telco regulator Ofcom – just days after security researchers discovered additional flaws in Progress Software's buggy suite.…
China's cyber-ops against the US have shifted from espionage activities to targeting infrastructure and societal disruption, the director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly told an Aspen Institute event on Monday.…
Asia In Brief India's government has denied its Co-WIN COVID-19 vaccination management platform has leaked data, but ordered an investigation into the program's security.…
American prosecutors have unsealed an indictment against two Russians who allegedly had a hand in the ransacking and collapse of Mt Gox a decade ago, an implosion that cost the cryptocurrency exchange's thousands of customers most of their digital coins.…
Fortinet has patched a critical bug in its FortiOS and FortiProxy SSL-VPN that can be exploited to hijack the equipment.…
Miscreants targeting Discord and Twitter accounts have stolen more than $3.3 million in cryptocurrency from 2,300 victims so far in an ongoing campaign that started in April and saw the highest spike in activity earlier this month.…
Microsoft stands accused by cyber intelligence firm Hold Security of violating an agreement between the pair by misusing Hold's database of more than 360 million sets of credentials culled from the dark web.…
Updated A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets, which one expert said could be used to launch ID theft attacks or blackmail.…
Infosec in brief Security firms helping Progress Software dissect the fallout from a ransomware attack against its MOVEit file transfer suite have discovered an additional exploitable bug.…
Two flaws in Microsoft software are under attack on systems that haven't been patched by admins.…
The FBI doesn't want to lose its favorite codified way to spy, Section 702 of the US Foreign Intelligence Surveillance Act. In its latest salvo, the agency's deputy director Paul Abbate called it "absolutely critical for the FBI to continue protecting the American people."…
Japanese pharma giant Eisai today confirmed to The Register that "there is no imminent risk of stock shortage" after it was hit by ransomware at the weekend.…
A crimeware group that usually targets individuals and SMBs in North America and Europe adds cyberespionage to its activities
The post Mixing cybercrime and cyberespionage – Week in security with Tony Anscombe appeared first on WeLiveSecurity