Security News

Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit. CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one that Redmond lists as "Exploitation more likely." This may be because it, when chained with other bugs, was used to bypass authentication during March's Pwn2Own contest.

Multiple editions of Windows 10 21H2 have reached their end of service in this month's Patch Tuesday, as Microsoft reminded customers today. "Customers who contact Microsoft Support after this date will be directed to update their device to the latest version of Windows 10 or upgrade to Windows 11 to remain supported," Microsoft said in an initial announcement on March 14.

Microsoft has addressed a known issue causing intermittent failures when saving and copying files on Windows 11 22H2 devices. Microsoft says Windows devices are at a higher risk of being affected by this particular issue when using specific commercial or enterprise security software that utilizes extended file attributes.

For June 2023 Patch Tuesday, Microsoft has delivered 70 new patches but, for once, none of the fixed vulnerabilities are currently exploited by attackers nor were publicly known before today! Microsoft has previously fixed CVE-2023-3079, a type confusion vulnerability in Chromium's V8 JavaScript engine, which was spotted being exploited by attackers to target Chrome users.

Today is Microsoft's June 2023 Patch Tuesday, with security updates for 78 flaws, including 38 remote code execution vulnerabilities. While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as 'Critical,' including denial of service attacks, remote code execution, and privilege elevation.

Office Open XML Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed. Microsoft refers to the format simply as Open XML. The boffins say they found discrepancies in the structure of office documents and the way signatures get verified.

Microsoft stands accused by cyber intelligence firm Hold Security of violating an agreement between the pair by misusing Hold's database of more than 360 million sets of credentials culled from the dark web. In a lawsuit filed in King County Superior Court in Washington, Hold said it had an agreement with Microsoft going back to 2014 to grant the Windows giant access to its database of compromised accounts with the expectation that Microsoft would limit use to matching Hold's records against Microsoft customer accounts.

Microsoft revealed in an update to the Azure status page that the preliminary root cause behind an outage that impacted the Azure Portal worldwide on Friday was what it described as a traffic "Spike." Customers who wanted to access the Azure Portal on Friday afternoon at portal.

Security researchers have warned about an "Easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions. "A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.

Two flaws in Microsoft software are under attack on systems that haven't been patched by admins. Redmond issued fixes for the vulnerabilities - one affecting Visual Studio and the other the Win32k subsystem - in April and May, but in separate reports this week, security researchers with Varonis Threat Labs and Numen Cyber warned that unpatched systems are already being exploited.