{"id":22228,"date":"2023-06-13T15:20:56","date_gmt":"2023-06-13T23:20:56","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/06\/13\/news-15958\/"},"modified":"2023-06-13T15:20:56","modified_gmt":"2023-06-13T23:20:56","slug":"news-15958","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/06\/13\/news-15958\/","title":{"rendered":"A smorgasbord for June\u2019s Patch Tuesday"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Tue, 13 Jun 2023 21:05:13 +0000<\/strong><\/p>\n

\n

Microsoft on Tuesday released patches for 69 vulnerabilities, including four critical-severity issues in Windows and one each in SharePoint and Visual Studio \/ .NET. As usual, the largest number of addressed vulnerabilities affect Windows, with 38 CVEs. Patches applicable to both .NET and Visual Studio account for nine of the remainder. Office takes six patches; SharePoint, five. Azure, Exchange, .NET (without Visual Studio), and Visual Studio (without .NET) each get two. Dynamics 365, PowerApps, and YARP (Yet Another Reverse Proxy, related to both .NET and NuGet) each get one.<\/p>\n

In a heavier-than-usual month for announcements concerning patches not directly handled by Microsoft, the company is also providing information on 25 patches from Chromium (Google), GitHub, Autodesk, and\u2026 Microsoft. The situation around those 25 information-only announcements is a bit tangled. Not only are there far more than usual (and this with no Adobe patches flagged, though Adobe did release<\/a> updates on its own<\/a> today) but the 17 Chromium patches affecting the Edge browser hail from both Google and Microsoft itself. One of the 17, CVE-2023-3079, a V8 type-confusion issue patched by Google on June 5<\/a>, is known to be under exploit in the wild. (V8 is a JavaScript engine developed by the Chromium Project and used in a variety of applications, Edge among them.)<\/p>\n

At patch time, none of the issues this month have been publicly disclosed (aside from the information published about the info-only patches released prior to June 13). However, Microsoft cautions that eight of the issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days). Microsoft once again this month offered no guidance overview on exploitation likelihood in earlier versions versus latest versions for any of their patches.<\/p>\n

Elsewhere on the patching scene, Fortinet this week published a security advisory for a critical-class SSL-VPN vulnerability under active exploit in the wild. CVE-2023-27997 affects FortiOS and FortiProxy SSL-VPN. A remote-code execution issue, it affects multiple versions of the software and was discovered<\/a> by Fortinet\u2019s own researchers, along with external researchers engaged in responsible disclosure. during a code audit after a previous incident. Fortinet customers are urged to review the available information<\/a> and patch their devices soon; the Sophos MDR team is monitoring the situation as it unfolds.<\/p>\n

We are including at the end of this post three appendices listing all Microsoft\u2019s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft\u2019s guidance we\u2019ll treat the three Edge patches (CVE-2023-29345, CVE-2023-33143, CVE-2023-33145) with Microsoft-assigned CVE numbers as information-only; they are not included in any of the totals or charts that follow.<\/p>\n

By the Numbers<\/strong><\/p>\n