No zero-days this month, if you ignore the Edge RCE hole patched last week (make sure you’ve got that update, by the way):
For a full list of this month’s Microsoft Patch Tuesday fixes, take a look at our sister site Sophos News, where SophosLabs analysts have collated complete lists of the the numerous Microsoft CVEs that were fixed this month:
Just the way you like it
Helpfully, our researchers have created multiple lists, handily sorted by bug type and severity (so you can tell your remote code executions from your elevations-of-privilege); by Microsoft’s guesses at the likelihood of crooks figuring out working exploits for each bug (in case you like to prioritise your efforts that way), and by product type (if you like to divide up your patching efforts between your server team, your Office experts and your laptop support crew).
In case you were wondering, there were 26 Remote Code Execution (RCE) patches, including four dubbed “Critical”, although three of those seem to be related bugs that were found and fixed together in a single Windows component.
RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don’t yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.
There were 17 Elevation-of-Privilege (EoP) fixes, just one of which is deemed “Critical” by Microsoft, ironically in the SharePoint Server, which is the very tool many companies rely on for exchanging large amounts data securely inside their networks.
In other words, unauthorised access to SharePoint could hand attackers a free pass to get straight into your own, or even your customers’, trophy data, as happened recently to numerous companies using the competing file sharing service MOVEit.
As you probably know, the problem with EoP bugs is that they are often exploited as the second step in an attack from outside, used by cybercriminals to boost their access privileges as soon as they can after they break in.
This can turn a security breach that started out with comparatively limited initial exposure (for example, rogue access only to the local files on one user’s laptop)…
…into a much more dangerous incident (for example, rogue access to everyone else’s laptop across the network, and perhaps to all your corporate servers as well, such as customer databases, payment systems, backups, and more).
Notable holes
SophosLabs experts have identified six of the CVEs as “notable”.
Head to our long-form report for more information on those six bugs.
For now, we’ll just list five of them here:
- CVE-2023-29357. Microsoft SharePoint Server Elevation of Privilege Vulnerability. This bug could give a crook who has access to your network, but who doesn’t have a logon to your SharePoint system, a way to steal a legitimate user’s access credentials and thus to sidestep the need to come up with a username, password or 2FA code of their own.
- CVE-2023-29363, -32014 and -32015. Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. If you use the Windows message queuing service in your network, these bugs could allow attackers to trick a device on your network into running code of their choice.
- CVE-2023-33146. Microsoft Office Remote Code Execution Vulnerability. Apparently, thus bug can be triggered by booby-trapped SketchUp files (we’ve never even heard of, let alone used, the SketchUp app, but apparently it’s a popular 3D graphics program) embedded in a wide range of Office files, including Word, Excel, PowerPoint and Outlook.
Intriguingly, the patch for CVE-2023-33146 seems to be symptomatic of broader unresolved security problems in Office’s support for handling SketchUp objects, presumably because of the difficulty of safely parsing, processing and embedding yet another complex file format into Office documents.
Indeed, on 2023-06-01, Microsoft officially announced that it was turning off the SketchUp embedding system until further notice (our emphasis):
The ability to insert SketchUp graphics (.skp files) has been temporarily disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access it. […] We appreciate your patience as we work to ensure the security and functionality of this feature.
Feature creep whereby embedded objects in Office files introduce new security risks… who knew?
Frank Boecherer
And Windows 11 KB5027231 breaks Chrome. Chrome won’t run after the update. Uninstalling it and rebooting works.
Paul Ducklin
Some might consider that a feature :-) (Those who aim to convince their chums to use Firefox instead, for example, but have been met with shrugs of indifference so far.)
Frank Boecherer
Funny, Paul. Though since it was an MS “patch” I would think MS is trying to tell us to use Edge. LOL