Security News > 2023 > June > Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes
In case you were wondering, there were 26 Remote Code Execution patches, including four dubbed "Critical", although three of those seem to related bugs that were found and fixed together in a single Windows component.
RCE patches generally cause the most concern, because they deal with bugs that can, in theory at least, be exploited by attackers who don't yet have a foothold on your network, which means they represent possible ways of criminals breaking-and-entering in the first place.
As you probably know, the problem with EoP bugs is that they are often exploited as the second step in an attack from outside, used by cybercriminals to boost their access privileges as soon as they can after they break in.
If you use the Windows message queuing service in your network, these bugs could allow attackers to trick a device on your network into running code of their choice.
Apparently, thus bug can be triggered by booby-trapped SketchUp files embedded in a wide range of Office files, including Word, Excel, PowerPoint and Outlook.
Intriguingly, the specific patch for CVE-2023-33146 seems to be symptomatic of broader unresolved security problems in Office's support for handling SketchUp objects, presumably because of the difficulty of safely parsing, processing and embedding yet another coplex file format into Office documents.
News URL
Related news
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Week in review: Veeam fixes RCE flaw in backup management platform, Patch Tuesday forecast (source)
- April 2024 Patch Tuesday forecast: New and old from Microsoft (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Patch up – 4 critical bugs in ArubaOS lead to remote code execution (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (source)
- May 2024 Patch Tuesday forecast: A reminder of recent threats and impact (source)
- Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-14 | CVE-2023-33146 | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 7.8 |