Share this article

Improve this guide

Microsoft rolls out fixes for 69 CVEs through the June 2023 Patch Tuesday

9 min. read

Updated onJune 14, 2023

updated onJune 14, 2023

Share this article

Improve this guide

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

It’s June and we are already enjoying the summer, but Windows users are also looking towards Microsoft, in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided thedirect download linksfor the cumulative updates released today for Windows 10 and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

This month, the Redmond-based tech giant released 69 new patches, which is a lot more than some people were expecting in the middle of the summer.

These software updates address CVEs in:

We’re going to take a more in-depth look at this release and see exactly what vulnerabilities we can scratch off our lists.

Microsoft managed to eliminate 69 OS vulnerabilities

It goes without saying that this isn’t either one of the busiest or the lightest months for Microsoft security experts.

You might like to know that, out of the 69 new CVEs released, six are rated Critical, 62 are rated Important, and one is rated Moderate in severity.

Notably, this volume of fixes is a bit larger than what we all expected for June, but not extraordinary, so there’s no need to worry.

It’s important to know that none of the new bugs patched this month are listed as publicly known or under active attack at the time of release.

Let’s talk aboutCVE-2023-32031for a second. This vulnerability, in case you didn’t already know, is actually a bypass of bothCVE-2022-41082andCVE-2023-21529.

Remember that the former was listed as being under active exploit, and this specific flaw exists within the Command class.

The issue started from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data.

Even though this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

Looking atCVE-2023-29363/32014/32015, we can tell that these three bugs look identical on paper, and all are listed as a CVSS 9.8.

They allowed a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment.

While not enabled by default, PGM isn’t an uncommon configuration, so we do hope these bugs get fixed before any active exploitation starts.

There are only two other Critical-rated bugs in this month’s release, with the first appearing to be all supported versions of .NET, .NET Framework, and Visual Studio.

In fact, it’s an open-and-own sort of exploit, but judging by the Critical rating, it appears there are no warning dialogs when opening the dodgy file.

The second Critical-rated fix for June addresses a Denial-of-Service (DoS) bug in the Hyper-V server, so the Critical rating implies a guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition.

The June 2023 Patch Tuesday rollout includes fixes for four security feature bypass (SFB) bugs, and two of these involve bypassing the check RPC procedure.

If left unchecked, they could allow the execution of RCE procedures that should otherwise be restricted when making calls to an SMB server.

Know that the bug in the RDP requires someone open a specially crafted file, but if they can convince the user to take that action, the attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session.

Let’s also mention the final SFB patch, which is the Low-severity bug in Edge that could allow attackers to bypass the permissions dialog feature when clicking on a URL.

Going through the remaining DoS fixes for June, the vast majority offer no additional details, so it’s not clear whether an attack would only impact the component or the entire system.

These above-mentioned bugs in the CryptoAPI service may impact authentication actions, but that’s just speculation based on the component.

Was this article helpful to you? Share your opinion in the comments section below.

More about the topics:patch tuesday,windows 10,windows 10 updates

Alexandru Poloboc

Tech Journalist

With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio entertainment show host.

A certified gadget freak, he always feels the need to surround himself with next-generation electronics.

When he is not working, he splits his free time between making music, gaming, playing football, basketball and taking his dogs on adventures.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Alexandru Poloboc

Tech Journalist

With a desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter.