[German]On June 13, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 78 vulnerabilities, 37 are remote code execution vulnerabilities (six vulnerabilities are rated critical). Below is a compact overview of these updates released on Patchday. A list of updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Advertising
Notes on the updates
Windows 10 Version 20H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on enabling the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to security patches for vulnerabilities, the updates also include fixes to address bugs or new features. Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer Windows 10 versions. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date). On June 13, 2023, Windows 10 version 21H2 reached end-of-live in Home and Pro variants.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows 8.1 is out of support in January 2023. Windows Server 2012 /R2 will receive security updates until October 2023.
Windows Server hardening
Note that on June 13, 2023, Microsoft's security updates will enable enforcement of the Netlogon protocol with RPC sealing on all domain controllers. The and vulnerable connections from non-compliant devices will be blocked. It is still possible to remove this enforcement until July 2023.
Advertising
The ability to disable the addition of PAC signatures will no longer be available after June 13, 2023, and signatures will be added to the Kerberos PAC buffer on domain controllers with the November 2022 security update or later. See also this Microsoft entry in the Windows Message Center.
Fixed vulnerabilities
Tenable has this blog post with an overview of the fixed vulnerabilities. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability, CVEv3 Score 9.8, critical; It is an EoP vulnerability in Microsoft SharePoint Server 2019, rated critical with a CVSSv3 score of 9.8. A remote, unauthenticated attacker can exploit the vulnerability by sending a forged JWT authentication token to a vulnerable server, gaining the privileges of an authenticated user on the target. According to the advisory, no user interaction is required for an attacker to exploit this vulnerability. Microsoft also provides remediation guidance for the vulnerability, stating that users who use Microsoft Defender in their SharePoint Server farms and have AMSI enabled are not affected. CVE-2023-29357 has been rated as Exploitation More Likely, according to Microsoft's Exploitability Index.According to Trend Micro's Zero Day Initiative (ZDI), CVE-2023-29357 was used in a successful demonstration of a chained attack during the Pwn2Own competition in Vancouver in March. ZDI notes that while Microsoft recommends enabling AMSI as a remediation measure, it "has not tested the effectiveness of this measure".
- CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability; CVEv3 Score 9.8; critical; These are RCEs in Windows operating systems, each rated critical with a CVSSv3 score of 9.8. The vulnerability is in the implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows Message Queueing Service component. A remote, unauthenticated attacker could exploit these vulnerabilities by sending a malicious file to a vulnerable target. Microsoft's mitigation guide states that a system is vulnerable only if message queueing services are enabled.
- CVE-2023-28310 and CVE-2023-3203: Microsoft Exchange Server Remote Code Execution Vulnerability; CVEv3 Score 8.0 und 8.1 , important; CVE-2023-28310 can be exploited by an authenticated attacker on the local network to execute commands on the target via a remote PowerShell session. CVE-2023-32031 allows a remote authenticated attacker to attack server accounts via network calls to trigger the execution of arbitrary code. Both CVE-2023-32031 and CVE-2023-28310 have been rated Exploitation More Likely and affect Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.
- CVE-2023-29362: Remote Desktop Client Remote Code Execution Vulnerability; CVEv3 Score 8.8, important; It is an RCE in Windows operating systems that has been rated as important with a CVSSv3 score of 8.8. The vulnerability resides in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application. The vulnerability can be exploited by a remote, unauthenticated attacker with control of a Remote Desktop Server if a user connects to an attacker-controlled server through the vulnerable client.
A list of all covered CVEs can be found on this Microsoft page, and excerpts are available from Tenable. Below is the list of patched products:
- .NET Core
- 3D Builder
- Azure Service Fabric Container
- Microsoft Bluetooth Driver
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft WDAC OLE DB provider for SQL
- Visual Studio Code
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Authentication Methods
- Windows Backup Engine
- Windows Bind Filter Driver
- Windows BitLocker
- Windows Boot Manager
- Windows Credential Manager
- Windows Cryptographic Services
- Windows DWM Core Library
- Windows Error Reporting
- Windows Event Tracing
- Windows IKE Extension
- Windows Installer
- Windows Internet Key Exchange (IKE) Protocol
- Windows iSCSI
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Local Security Authority (LSA)
- Windows Local Session Manager (LSM)
- Windows Malicious Software Removal Tool
- Windows Management Instrumentation
- Windows MSCryptDImportKey
- Windows NTLM
- Windows ODBC Driver
- Windows Overlay Filter
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Access Service L2TP Driver
- Windows RPC API
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Smart Card
- Windows Task Scheduler
- Windows Virtual Registry Provider
- Windows Workstation Service
Similar articles:
Microsoft Security Update Summary (June 13, 2023)
Patchday: Windows 10-Updates (June 13, 2023)
Patchday: Windows 11/Server 2022-Updates (June 13, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (June 13, 2023)
Microsoft Office Updates (June 6, 2023)
Microsoft Office Updates (June 13, 2023)
Exchange Server Security Updates (June 13, 2023)
Advertising