Microsoft released security updates for 78 flaws for June Patch Tuesday, and luckily for administrators, none of them are being exploited.

Yesterday’s critical Fortinet bug and the Progress MOVEit flaws, however, are entirely different stories, so the proverbial thoughts and prayers to the teams dealing with this damage.

Microsoft’s Big Patch Day rated six of today’s patches as critical and four of them got a severity score of 9.8, so let’s start with those.

CVE-2023-29357, a Microsoft SharePoint Server elevation of privilege vulnerability, is what Redmond lists as “the most likely exploit.” This may be because it, when chained with other bugs, was used to bypass authentication in the Pwn2Own contest in March.

An attacker can use this vulnerability to gain administrator privileges without any user interaction, according to Microsoft. Once they have “gained access to the spoofed JWT authentication tokens, they can use them to execute a network attack that bypasses authentication and allows them to access the privileges of an authenticated user,” according to the security update.

The other three vulnerabilities rated 9.8 allow remote code execution (RCE): CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015. All three could allow a remote, unauthenticated attacker to execute malicious code on a Windows system where the message queuing service is running in a Pragmatic General Multicast (PGM) server environment.

“This is the third month in a row that PGM has addressed a CVSS 9.8 bug, and it’s starting to be a bit of a theme,” Zero Day Initiative’s Dustin Childs pointed out. “Although not enabled by default, PGM is not an uncommon configuration. Hopefully these bugs will be fixed before any active mining begins.”

The two remaining critical patches address denial of service vulnerabilities (CVE-2023-32013) in Windows Hyper-V and another RCE bug (CVE-2023-24897) in .NET, .NET Framework, and Visual Studio.

VMware fixes a flaw, but China found it first

In other news, we highlight VMware admitting that one of the bugs disclosed today is already being exploited by alleged Chinese spies, namely a security update to fix a VMware Tools bypass vulnerability. authentication that affects ESXi hypervisors, tracked as CVE-2023-20867.

“A fully compromised ESXi host can force VMware Tools to not authenticate host-guest operations, affecting the privacy and integrity of the guest VM,” the virtualization giant said.

According to Mandiant, a Chinese cyber espionage group it tracks as UNC3886 found and exploited the flaw before VMware released a patch. Mandiant spotted this same gang targeting VMware hypervisors for espionage in 2022.

Adobe releases four patches

And on Adobe, whose June patches are also thankfully uneventful, with none of the vulnerabilities being exploited or publicly known at press time.

In total, the software vendor released four patches to fix 18 bugs in Adobe Experience Manager, Commerce, Animate, and Substance 3D Designer.

The patch for Adobe Experience Manager fixes four CVEs rated important and moderate. Successful exploitation of these flaws could allow the execution of arbitrary code and the bypassing of security features.

Adobe Commerce update fixes 12 CVEs, including one critical RCE vulnerability.

There is only one patch for Adobe Animate and Adobe Substance 3D Designer, but both patches also address critical RCEs.

SAP tackles XXS

SAP today released eight new security advisories and five updates to previously released advisories. Four of them have high priority, eight medium priority and one low priority.

Interestingly, eight of these patches address XSS (Cross-Site Scripting) vulnerabilities. This includes one of the new High Priority Security Notes, #3324285, with a CVSS score of 8.2, which fixes a Stored XXS vulnerability in UI5 Variant Management.

“This vulnerability allows an attacker to gain user-level access and compromise the confidentiality, integrity, and availability of the UI5 ​​Varian Management application,” according to SAP bug hunters at Onapsis.

Android, still in vogue with spyware publishers

And to cap off the June patch party, Google released its Android security update earlier this month with fixes for 56 bugs.

According to Google. It is tracked as CVE-2023-21108.

Another of the June patches is for CVE-2022-22706, an Arm Mali GPU flaw that Google’s Threat Analysis Group says has already been exploited by spyware vendors. ®