Security News > 2023 > June > Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes
In case you were wondering, there were 26 Remote Code Execution patches, including four dubbed "Critical", although three of those seem to related bugs that were found and fixed together in a single Windows component.
RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don't yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.
As you probably know, the problem with EoP bugs is that they are often exploited as the second step in an attack from outside, used by cybercriminals to boost their access privileges as soon as they can after they break in.
If you use the Windows message queuing service in your network, these bugs could allow attackers to trick a device on your network into running code of their choice.
Apparently, thus bug can be triggered by booby-trapped SketchUp files embedded in a wide range of Office files, including Word, Excel, PowerPoint and Outlook.
Intriguingly, the specific patch for CVE-2023-33146 seems to be symptomatic of broader unresolved security problems in Office's support for handling SketchUp objects, presumably because of the difficulty of safely parsing, processing and embedding yet another coplex file format into Office documents.
News URL
Related news
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-14 | CVE-2023-33146 | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 0.0 |