June Patchday: 73 Fixes for Vulnerabilities in Windows and Office

June Patchday: 73 fixes for vulnerabilities in Windows and Office

Critical vulnerabilities are found among others in Exchange Server, SharePoint and Windows. Attackers can remotely inject and execute malicious code.

Microsoft is using June Patchday to close 73 security vulnerabilities in its products such as Windows and Office. According to the company, the patch collection does not include any zero-day vulnerabilities, but it does include several vulnerabilities that are classified as critical, which may allow malicious code to be infiltrated and executed remotely.

This includes a vulnerability in Exchange Server discovered by the Zero Day Initiative. The flaw allows patches for two previous zero-day vulnerabilities in Exchange Server to be bypassed. The Zero Day Initiative notes that the vulnerability can only be exploited if the attacker has an account with the Exchange Server in question. In that case, remote code execution using system privileges is possible.

Critical gaps in all Windows versions

Also considered particularly serious is a leak in SharePoint Server that allows unauthorized escalation of user privileges. In March, the gap was used by participants in the Pwn2Own hacking contest to bypass authentication in SharePoint Server. It has a score of 9.8 in the ten-level Common Vulnerability Scoring System.

Three vulnerabilities in Windows Pragmatic General Multicast (PGM) also have the same score. They allow remote code execution and affect all supported versions of Windows and Windows Server. The Zero Day Initiative points out that similar serious vulnerabilities in Windows PGM were patched back in April and May. However, it says Windows PGM ex works is not active and is generally a rather uncommon configuration.

Other bugs are in .NET and Visual Studio, Dynamics, .NET Framework, Excel, Outlook, One Note, Edge, Power Apps and Sysinternals. Windows components such as Installer, printer drivers, Hyper-V, ODBC drivers, Kernel, Hello, CryptoAPI, NTFS file system, Remote Desktop Client, Win32K and Group Policies are also vulnerable.