Security News > 2023 > June > Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes
In case you were wondering, there were 26 Remote Code Execution patches, including four dubbed "Critical", although three of those seem to related bugs that were found and fixed together in a single Windows component.
RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don't yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.
As you probably know, the problem with EoP bugs is that they are often exploited as the second step in an attack from outside, used by cybercriminals to boost their access privileges as soon as they can after they break in.
If you use the Windows message queuing service in your network, these bugs could allow attackers to trick a device on your network into running code of their choice.
Apparently, thus bug can be triggered by booby-trapped SketchUp files embedded in a wide range of Office files, including Word, Excel, PowerPoint and Outlook.
Intriguingly, the specific patch for CVE-2023-33146 seems to be symptomatic of broader unresolved security problems in Office's support for handling SketchUp objects, presumably because of the difficulty of safely parsing, processing and embedding yet another coplex file format into Office documents.
News URL
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- November 2024 Patch Tuesday forecast: New servers arrive early (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-14 | CVE-2023-33146 | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 0.0 |