It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for June 2023

For June, Adobe released four patches addressing 18 CVEs in Adobe Commerce, Substance 3D Designer, Adobe Animate, and Experience Manager. The bug in Substance 3D Designer was found by ZDI researcher Mat Powell and could lead to arbitrary code execution when opening a specially crafted file. The patch for Commerce is the largest this month with a dozen total fixes. Most of these are Important or Moderate rated Security Feature Bypasses (SFB), but there is a lone Critical-rate code execution bug in there as well. The fix for Adobe Animate also addresses a lone code execution bug. The patch for Experience Manager fixes four bugs, but none are Critical. There are three Important-rated cross-site scripting (XSS) bugs getting fixes plus one more SFB.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for June 2023

This month, Microsoft released 69 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; Microsoft Edge (Chromium-based); SharePoint Server; .NET and Visual Studio; Microsoft Teams; Azure DevOps; Microsoft Dynamics; and the Remote Desktop Client. This is in addition to 25 CVEs that were previously released by third parties and are now being documented in the Security Updates Guide.

A total of five of these bugs were submitted through the ZDI program. This includes fixes for some of the bugs submitted at the Pwn2Own Vancouver contest. The SharePoint and local privilege escalations should be addressed with these fixes. However, we’re still awaiting the fixes for the Teams bugs demonstrated during the competition.

Of the new patches released today, six are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume of fixes is slighter larger than the typical number of fixes for June, but not extraordinarily so. July tends to be a larger month as it is the last patch Tuesday before the Black Hat USA conference. It will be interesting to see if this trend continues.

None of the CVEs released today are listed as being publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a familiar-looking bug in the Exchange Server:

-       CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability
This vulnerability was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. While this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

-       CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability
This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

-       CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

-       CVE-2023-3079 – Chromium: CVE-2023-3079 Type Confusion in V8
This CVE shouldn’t be news to anyone as it was released by the Chrome team back on June 1. However, since it’s listed as being under active attack, I wanted to highlight it for anyone who may have missed it due to graduations, vacations, or other distractions. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.

Here’s the full list of CVEs released by Microsoft for June 2023:

* Indicates this CVE had been released prior to today.

There are only two other Critical-rated bugs in this month’s release. The first is in what appears to be all supported versions of .NET, .NET Framework, and Visual Studio. It’s an open-and-own sort of exploit, but guessing by the Critical rating, it appears there are no warning dialogs when opening the dodgy file. The final Critical-rated fix for June addresses a Denial-of-Service (DoS) bug in the Hyper-V server. The Critical rating here implies a guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition.

Moving on to the other code execution bugs fixed this month, there are the standard complement of open-and-own bugs in Office components and services. There are also a few more RCE bugs in .NET, .NET Framework, and Visual Studio. This includes the lone Moderate-rated bug, which surprisingly still comes in at a CVSS of 8.1. It’s implied (but not stated) that there would be some warning dialog when opening a crafted XML, thus lowering the severity. There’s another bug in Exchange that allows network adjacent authenticated attackers to achieve RCE via a PowerShell remoting session. You rarely see RCE bugs with a physical component, but that’s the case for the vulnerability in the Windows Resilient File System (ReFS). An attacker could gain code execution either through mounting a specially crafted VHD or by inserting a malicious USB drive. There’s a fix for the RDP client, but since it requires connecting to a malicious RDP server, it’s not as concerning. That’s similar to the two bugs that require connecting to an attacker’s SQL server. The final code execution bug is in our old frenemy the PostScript Printer Driver. Again, a user would need to open a specially crafted file on an affected system to trigger the RCE.

Looking at the Elevation of Privilege (EoP) bugs receiving fixes this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. The EoP bugs in .NET and Visual Studio lead some different scenarios, such as gaining some understanding of the filesystem layout or gaining the rights of the user running an affected application. This Moderate-rated EoP in Edge could allow a browser sandbox escape.

The June release includes fixes for four security feature bypass (SFB) bugs, and two of these involve bypassing the check RPC procedure. They could allow the execution of RCE procedures that should otherwise be restricted when making calls to an SMB server. The bug in the RDP requires someone open a specially crafted file, but if they can convince the use to take that action, the attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session. The final SFB patch is the Low-severity bug in Edge that could allow attackers to bypass the permissions dialog feature when clicking on a URL.

There’s an unusually large number of spoofing bugs receiving patches this month. There are two bugs in the Azure DevOps Server that could be exploited to gain data available to the current user. An attacker is able to manipulate DOM model of website adding/removing elements, with crafted script is able to do actions on ADO in current user context without user consent or awareness. There’s little detail provided about the SharePoint bugs, but spoofing in SharePoint generally equates to cross-site scripting (XSS). The bug in the Power Apps component almost acts like an information disclosure, as successful exploitation would allow the attacker to read information in the target’s browser associated with a vulnerable URL. Little detail is provided about the other spoofing bugs other than to say user interaction is required to trigger them.

There are only five patches addressing information disclosure bugs this month, and as usual, the majority result in info leaks consisting of unspecified memory contents. The two exceptions are for Edge and the DHCP service. The bug in the DHCP server could allow an attacker to learn the IP addresses pool information of affected systems. The Edge bug could disclose IDs, tokens, nonces, and other sensitive information when following malicious URLs. Considering how much is down in the browser these days, that information could prove quite useful to threat actors.

Looking at the remaining DoS fixes for June, the vast majority have no details. It’s not clear an attack would only impact the component or the entire system. The bugs in the CryptoAPI service may impact authentication actions, but that’s just speculation based on the component. Microsoft does specify the SharePoint bug only crashes the application. The bug in the Sysinternals Process Monitor likely only crashed the application. For that fix, you’ll need to access the Microsoft Store. If you have updates enabled, you should get it automatically. However, if you’re in a disconnected or otherwise isolated environment, you’ll need to get the Sysinternals MSIX package.

The June release is rounded out with a fix for a single XSS bug in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on July 11, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!