Microsoft rolls out fixes for 69 CVEs through the June 2023 Patch Tuesday

Reading time icon 9 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • A pretty busy month for a Microsoft Patch Tuesday release, with 69 CVEs.
  • Out of all the CVEs, 6 are rated Critical, 62 Important, and one Moderate.
  • We've included each and every one in this article, with direct links as well
malware

It’s June and we are already enjoying the summer, but Windows users are also looking towards Microsoft, in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided the direct download links for the cumulative updates released today for Windows 10 and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

This month, the Redmond-based tech giant released 69 new patches, which is a lot more than some people were expecting in the middle of the summer.

These software updates address CVEs in:

  • Microsoft Windows and Windows Components
  • Office and Office Components
  • Exchange Server
  • Microsoft Edge (Chromium-based)
  • SharePoint Server
  • .NET and Visual Studio
  • Microsoft Teams; Azure DevOps
  • Microsoft Dynamics
  • Remote Desktop Client

We’re going to take a more in-depth look at this release and see exactly what vulnerabilities we can scratch off our lists.

Microsoft managed to eliminate 69 OS vulnerabilities

It goes without saying that this isn’t either one of the busiest or the lightest months for Microsoft security experts.

You might like to know that, out of the 69 new CVEs released, six are rated Critical, 62 are rated Important, and one is rated Moderate in severity.

Notably, this volume of fixes is a bit larger than what we all expected for June, but not extraordinary, so there’s no need to worry.

It’s important to know that none of the new bugs patched this month are listed as publicly known or under active attack at the time of release.

CVETitleSeverityCVSSPublicExploitedType
CVE-2023-24897.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege VulnerabilityCritical9.8NoNoEoP
CVE-2023-32013Windows Hyper-V Denial of Service VulnerabilityCritical6.5NoNoDoS
CVE-2023-29363Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical9.8NoNoRCE
CVE-2023-32014Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical9.8NoNoRCE
CVE-2023-32015Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical9.8NoNoRCE
CVE-2023-32030.NET and Visual Studio Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-32032.NET and Visual Studio Elevation of Privilege VulnerabilityImportant6.5NoNoEoP
CVE-2023-33135.NET and Visual Studio Elevation of Privilege VulnerabilityImportant7.3NoNoEoP
CVE-2023-33126.NET and Visual Studio Remote Code Execution VulnerabilityImportant7.3NoNoRCE
CVE-2023-33128.NET and Visual Studio Remote Code Execution VulnerabilityImportant7.3NoNoRCE
CVE-2023-29331.NET Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-29326.NET Framework Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-24895.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-27909 *AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or priorImportant7.8NoNoRCE
CVE-2023-27910 *AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or priorImportant7.8NoNoRCE
CVE-2023-27911 *AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or priorImportant7.8NoNoRCE
CVE-2023-21565Azure DevOps Server Spoofing VulnerabilityImportant7.1NoNoSpoofing
CVE-2023-21569Azure DevOps Server Spoofing VulnerabilityImportant5.5NoNoSpoofing
CVE-2023-29355DHCP Server Service Information Disclosure VulnerabilityImportant5.3NoNoInfo
CVE-2023-25652 *GitHub: CVE-2023-25652 “git apply –reject” partially-controlled arbitrary file writeImportant7.5NoNoN/A
CVE-2023-25815 *GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged placeImportant3.3NoNoN/A
CVE-2023-29007 *GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit`Important7.8NoNoN/A
CVE-2023-29011 *GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placingImportant7.5NoNoN/A
CVE-2023-29012 *GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it existsImportant7.2NoNoN/A
CVE-2023-29367iSCSI Target WMI Provider Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-24896Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityImportant5.4NoNoXSS
CVE-2023-33145Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2023-32029Microsoft Excel Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-33133Microsoft Excel Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-33137Microsoft Excel Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-28310Microsoft Exchange Server Remote Code Execution VulnerabilityImportant8NoNoRCE
CVE-2023-32031Microsoft Exchange Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2023-29373Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2023-33146Microsoft Office Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-33140Microsoft OneNote Spoofing VulnerabilityImportant6.5NoNoSpoofing
CVE-2023-33131Microsoft Outlook Spoofing VulnerabilityImportant6.5NoNoSpoofing
CVE-2023-32017Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-32024Microsoft Power Apps Spoofing VulnerabilityImportant3NoNoSpoofing
CVE-2023-33129Microsoft SharePoint Denial of Service VulnerabilityImportant6.5NoNoDoS
CVE-2023-33142Microsoft SharePoint Server Elevation of Privilege VulnerabilityImportant6.5NoNoEoP
CVE-2023-33130Microsoft SharePoint Server Spoofing VulnerabilityImportant7.3NoNoSpoofing
CVE-2023-33132Microsoft SharePoint Server Spoofing VulnerabilityImportant6.3NoNoSpoofing
CVE-2023-29372Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2023-29346NTFS Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-29337NuGet Client Remote Code Execution VulnerabilityImportant7.1NoNoRCE
CVE-2023-29362Remote Desktop Client Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2023-29369Remote Procedure Call Runtime Denial of Service VulnerabilityImportant6.5NoNoDoS
CVE-2023-29353Sysinternals Process Monitor for Windows Denial of Service VulnerabilityImportant5.5NoNoDoS
CVE-2023-33144Visual Studio Code Spoofing VulnerabilityImportant5NoNoSpoofing
CVE-2023-33139Visual Studio Information Disclosure VulnerabilityImportant7.8NoNoInfo
CVE-2023-29359Win32k Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-29364Windows Authentication Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2023-32010Windows Bus Filter Driver Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2023-29361Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2023-32009Windows Collaborative Translation Framework Elevation of Privilege VulnerabilityImportant8.8NoNoEoP
CVE-2023-32012Windows Container Manager Service Elevation of Privilege VulnerabilityImportant6.3NoNoEoP
CVE-2023-24937Windows CryptoAPI Denial of Service VulnerabilityImportant5.5NoNoDoS
CVE-2023-24938Windows CryptoAPI Denial of Service VulnerabilityImportant5.5NoNoDoS
CVE-2023-32020Windows DNS Spoofing VulnerabilityImportant3.7NoNoSpoofing
CVE-2023-29358Windows GDI Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-29366Windows Geolocation Service Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29351Windows Group Policy Elevation of Privilege VulnerabilityImportant8.1NoNoEoP
CVE-2023-32018Windows Hello Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-32016Windows Installer Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2023-32011Windows iSCSI Discovery Service Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-32019Windows Kernel Information Disclosure VulnerabilityImportant4.7NoNoInfo
CVE-2023-29365Windows Media Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29370Windows Media Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29352Windows Remote Desktop Security Feature Bypass VulnerabilityImportant6.5NoNoSFB
CVE-2023-32008Windows Resilient File System (ReFS) Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-32022Windows Server Service Security Feature Bypass VulnerabilityImportant7.6NoNoSFB
CVE-2023-32021Windows SMB Witness Service Security Feature Bypass VulnerabilityImportant7.1NoNoSFB
CVE-2023-29368Windows TCP/IP Driver Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2023-29360Windows TPM Device Driver Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-29371Windows Win32k Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-33141Yet Another Reverse Proxy (YARP) Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-24936.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityModerate8.1NoNoRCE
CVE-2023-33143Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate7.5NoNoEoP
CVE-2023-29345Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityLow6.1NoNoSFB
CVE-2023-3079 *Chromium: CVE-2023-3079 Type Confusion in V8HighN/ANoYesRCE
CVE-2023-2929 *Chromium: CVE-2023-2929 Out of bounds write in SwiftshaderHighN/ANoNoRCE
CVE-2023-2930 *Chromium: CVE-2023-2930 Use after free in ExtensionsHighN/ANoNoRCE
CVE-2023-2931 *Chromium: CVE-2023-2931 Use after free in PDFHighN/ANoNoRCE
CVE-2023-2932 *Chromium: CVE-2023-2932 Use after free in PDFHighN/ANoNoRCE
CVE-2023-2933 *Chromium: CVE-2023-2933 Use after free in PDFHighN/ANoNoRCE
CVE-2023-2934 *Chromium: CVE-2023-2934 Out of bounds memory access in MojoHighN/ANoNoRCE
CVE-2023-2935 *Chromium: CVE-2023-2935 Type Confusion in V8HighN/ANoNoRCE
CVE-2023-2936 *Chromium: CVE-2023-2936 Type Confusion in V8HighN/ANoNoRCE
CVE-2023-2937 *Chromium: CVE-2023-2937 Inappropriate implementation in Picture In PictureMediumN/ANoNoN/A
CVE-2023-2938 *Chromium: CVE-2023-2938 Inappropriate implementation in Picture In PictureMediumN/ANoNoN/A
CVE-2023-2939 *Chromium: CVE-2023-2939 Insufficient data validation in InstallerMediumN/ANoNoN/A
CVE-2023-2940 *Chromium: CVE-2023-2940 Inappropriate implementation in DownloadsMediumN/ANoNoN/A
CVE-2023-2941 *Chromium: CVE-2023-2941 Inappropriate implementation in Extensions APILowN/ANoNoN/A

Let’s talk about CVE-2023-32031 for a second. This vulnerability, in case you didn’t already know, is actually a bypass of both CVE-2022-41082 and CVE-2023-21529.

Remember that the former was listed as being under active exploit, and this specific flaw exists within the Command class.

The issue started from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data.

Even though this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

Looking at CVE-2023-29363/32014/32015, we can tell that these three bugs look identical on paper, and all are listed as a CVSS 9.8.

They allowed a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment.

While not enabled by default, PGM isn’t an uncommon configuration, so we do hope these bugs get fixed before any active exploitation starts.

There are only two other Critical-rated bugs in this month’s release, with the first appearing to be all supported versions of .NET, .NET Framework, and Visual Studio.

In fact, it’s an open-and-own sort of exploit, but judging by the Critical rating, it appears there are no warning dialogs when opening the dodgy file.

The second Critical-rated fix for June addresses a Denial-of-Service (DoS) bug in the Hyper-V server, so the Critical rating implies a guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition.

The June 2023 Patch Tuesday rollout includes fixes for four security feature bypass (SFB) bugs, and two of these involve bypassing the check RPC procedure.

If left unchecked, they could allow the execution of RCE procedures that should otherwise be restricted when making calls to an SMB server.

Know that the bug in the RDP requires someone open a specially crafted file, but if they can convince the user to take that action, the attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session.

Let’s also mention the final SFB patch, which is the Low-severity bug in Edge that could allow attackers to bypass the permissions dialog feature when clicking on a URL.

Going through the remaining DoS fixes for June, the vast majority offer no additional details, so it’s not clear whether an attack would only impact the component or the entire system.

These above-mentioned bugs in the CryptoAPI service may impact authentication actions, but that’s just speculation based on the component.

Was this article helpful to you? Share your opinion in the comments section below.

More about the topics: patch tuesday, windows 10, windows 10 updates

User forum

0 messages