Security News > 2023 > June > Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes

In case you were wondering, there were 26 Remote Code Execution patches, including four dubbed "Critical", although three of those seem to related bugs that were found and fixed together in a single Windows component.

RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don't yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.

As you probably know, the problem with EoP bugs is that they are often exploited as the second step in an attack from outside, used by cybercriminals to boost their access privileges as soon as they can after they break in.

If you use the Windows message queuing service in your network, these bugs could allow attackers to trick a device on your network into running code of their choice.

Apparently, thus bug can be triggered by booby-trapped SketchUp files embedded in a wide range of Office files, including Word, Excel, PowerPoint and Outlook.

Intriguingly, the specific patch for CVE-2023-33146 seems to be symptomatic of broader unresolved security problems in Office's support for handling SketchUp objects, presumably because of the difficulty of safely parsing, processing and embedding yet another coplex file format into Office documents.

News URL

https://nakedsecurity.sophos.com/2023/06/14/patch-tuesday-fixes-4-critical-rce-bugs-and-a-bunch-of-office-holes/