Подоспели ежемесячные патчи от Microsoft. С июньским набором заплаток разработчики избавили пользователей от 78 уязвимостей, 38 из которых в случае эксплуатации способны привести к удалённому выполнению кода.
Шесть устранённых брешей Microsoft называет критическими. Среди них можно найти баги, приводящие к DoS, а также возможность повышения привилегий и выполнения произвольного кода удалённо.
По категориям бреши распределились следующим образом:
- 17 дыр повышения привилегий;
- 3 возможности обхода защитных систем;
- 32 — удалённое выполнение кода (RCE);
- пять проблем раскрытия информации;
- 10 — DoS;
- 10 — спуфинг;
- одна дыра в Chromium-версии Edge.
К счастью, в этот раз обошлось без уязвимостей нулевого дня, поэтому системные администраторы могут накатывать патчи в удобном для себя темпе. Тем не менее можно выделить две наиболее опасные уязвимости, которые игнорировать точно не стоит:
- CVE-2023-29357 — возможность повышения привилегий в Microsoft SharePoint Server. По словам Microsoft, баг используется в атаках, однако нет никаких подробностей его эксплуатации.
- CVE-2023-32031 — возможность удалённого выполнения кода в Microsoft Exchange Server. Не прошедший аутентификацию атакующий может задействовать баг для выполнения вредоносного кода в контексте аккаунта сервера.
Полный список июньских уязвимостей приводим ниже:
| Tag | CVE-идентификатор | CVE-наименование | Степень риска |
| .NET and Visual Studio | CVE-2023-24895 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-33126 | .NET and Visual Studio Remote Code Execution Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-24936 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | Средняя |
| .NET and Visual Studio | CVE-2023-33135 | .NET and Visual Studio Elevation of Privilege Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-32032 | .NET and Visual Studio Elevation of Privilege Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-32030 | .NET and Visual Studio Denial of Service Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-33128 | .NET and Visual Studio Remote Code Execution Vulnerability | Важная |
| .NET and Visual Studio | CVE-2023-24897 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | Критическая |
| .NET Core | CVE-2023-29331 | .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | Важная |
| .NET Framework | CVE-2023-29326 | .NET Framework Remote Code Execution Vulnerability | Важная |
| ASP .NET | CVE-2023-33141 | Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability | Важная |
| Azure DevOps | CVE-2023-21569 | Azure DevOps Server Spoofing Vulnerability | Важная |
| Azure DevOps | CVE-2023-21565 | Azure DevOps Server Spoofing Vulnerability | Важная |
| Microsoft Dynamics | CVE-2023-24896 | Dynamics 365 Finance Spoofing Vulnerability | Важная |
| Microsoft Edge (Chromium-based) | CVE-2023-2941 | Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-33145 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Важная |
| Microsoft Edge (Chromium-based) | CVE-2023-2937 | Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2936 | Chromium: CVE-2023-2936 Type Confusion in V8 | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2935 | Chromium: CVE-2023-2935 Type Confusion in V8 | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2940 | Chromium: CVE-2023-2940 Inappropriate implementation in Downloads | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2939 | Chromium: CVE-2023-2939 Insufficient data validation in Installer | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2938 | Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2931 | Chromium: CVE-2023-2931 Use after free in PDF | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2930 | Chromium: CVE-2023-2930 Use after free in Extensions | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2929 | Chromium: CVE-2023-2929 Out of bounds write in Swiftshader | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2934 | Chromium: CVE-2023-2934 Out of bounds memory access in Mojo | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2933 | Chromium: CVE-2023-2933 Use after free in PDF | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-2932 | Chromium: CVE-2023-2932 Use after free in PDF | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-3079 | Chromium: CVE-2023-3079 Type Confusion in V8 | Неизвестная |
| Microsoft Edge (Chromium-based) | CVE-2023-29345 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Низкая |
| Microsoft Edge (Chromium-based) | CVE-2023-33143 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Средняя |
| Microsoft Exchange Server | CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability | Важная |
| Microsoft Exchange Server | CVE-2023-28310 | Microsoft Exchange Server Remote Code Execution Vulnerability | Важная |
| Microsoft Office | CVE-2023-33146 | Microsoft Office Remote Code Execution Vulnerability | Важная |
| Microsoft Office Excel | CVE-2023-33133 | Microsoft Excel Remote Code Execution Vulnerability | Важная |
| Microsoft Office Excel | CVE-2023-32029 | Microsoft Excel Remote Code Execution Vulnerability | Важная |
| Microsoft Office Excel | CVE-2023-33137 | Microsoft Excel Remote Code Execution Vulnerability | Важная |
| Microsoft Office OneNote | CVE-2023-33140 | Microsoft OneNote Spoofing Vulnerability | Важная |
| Microsoft Office Outlook | CVE-2023-33131 | Microsoft Outlook Remote Code Execution Vulnerability | Важная |
| Microsoft Office SharePoint | CVE-2023-33142 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Важная |
| Microsoft Office SharePoint | CVE-2023-33129 | Microsoft SharePoint Denial of Service Vulnerability | Важная |
| Microsoft Office SharePoint | CVE-2023-33130 | Microsoft SharePoint Server Spoofing Vulnerability | Важная |
| Microsoft Office SharePoint | CVE-2023-33132 | Microsoft SharePoint Server Spoofing Vulnerability | Важная |
| Microsoft Office SharePoint | CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Критическая |
| Microsoft Power Apps | CVE-2023-32024 | Microsoft Power Apps Spoofing Vulnerability | Важная |
| Microsoft Printer Drivers | CVE-2023-32017 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability | Важная |
| Microsoft WDAC OLE DB provider for SQL | CVE-2023-29372 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Важная |
| Microsoft Windows Codecs Library | CVE-2023-29370 | Windows Media Remote Code Execution Vulnerability | Важная |
| Microsoft Windows Codecs Library | CVE-2023-29365 | Windows Media Remote Code Execution Vulnerability | Важная |
| NuGet Client | CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability | Важная |
| Remote Desktop Client | CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability | Важная |
| Remote Desktop Client | CVE-2023-29352 | Windows Remote Desktop Security Feature Bypass Vulnerability | Важная |
| Role: DNS Server | CVE-2023-32020 | Windows DNS Spoofing Vulnerability | Важная |
| SysInternals | CVE-2023-29353 | Sysinternals Process Monitor for Windows Denial of Service Vulnerability | Низкая |
| Visual Studio | CVE-2023-29007 | GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` | Важная |
| Visual Studio | CVE-2023-33139 | Visual Studio Information Disclosure Vulnerability | Важная |
| Visual Studio | CVE-2023-25652 | GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write | Важная |
| Visual Studio | CVE-2023-25815 | GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place | Важная |
| Visual Studio | CVE-2023-27911 | AutoDesk: CVE-2023-27911 Heap buffer overfНизкая vulnerability in Autodesk® FBX® SDK 2020 or prior | Важная |
| Visual Studio | CVE-2023-27910 | AutoDesk: CVE-2023-27910 stack buffer overfНизкая vulnerability in Autodesk® FBX® SDK 2020 or prior | Важная |
| Visual Studio | CVE-2023-29011 | GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing | Важная |
| Visual Studio | CVE-2023-29012 | GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists | Важная |
| Visual Studio | CVE-2023-27909 | AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior | Важная |
| Visual Studio Code | CVE-2023-33144 | Visual Studio Code Spoofing Vulnerability | Важная |
| Windows Authentication Methods | CVE-2023-29364 | Windows Authentication Elevation of Privilege Vulnerability | Важная |
| Windows Bus Filter Driver | CVE-2023-32010 | Windows Bus Filter Driver Elevation of Privilege Vulnerability | Важная |
| Windows Cloud Files Mini Filter Driver | CVE-2023-29361 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Важная |
| Windows Collaborative Translation Framework | CVE-2023-32009 | Windows Collaborative Translation Framework Elevation of Privilege Vulnerability | Важная |
| Windows Container Manager Service | CVE-2023-32012 | Windows Container Manager Service Elevation of Privilege Vulnerability | Важная |
| Windows CryptoAPI | CVE-2023-24937 | Windows CryptoAPI Denial of Service Vulnerability | Важная |
| Windows CryptoAPI | CVE-2023-24938 | Windows CryptoAPI Denial of Service Vulnerability | Важная |
| Windows DHCP Server | CVE-2023-29355 | DHCP Server Service Information Disclosure Vulnerability | Важная |
| Windows Filtering | CVE-2023-29368 | Windows Filtering Platform Elevation of Privilege Vulnerability | Важная |
| Windows GDI | CVE-2023-29358 | Windows GDI Elevation of Privilege Vulnerability | Важная |
| Windows Geolocation Service | CVE-2023-29366 | Windows Geolocation Service Remote Code Execution Vulnerability | Важная |
| Windows Group Policy | CVE-2023-29351 | Windows Group Policy Elevation of Privilege Vulnerability | Важная |
| Windows Hello | CVE-2023-32018 | Windows Hello Remote Code Execution Vulnerability | Важная |
| Windows Hyper-V | CVE-2023-32013 | Windows Hyper-V Denial of Service Vulnerability | Критическая |
| Windows Installer | CVE-2023-32016 | Windows Installer Information Disclosure Vulnerability | Важная |
| Windows iSCSI | CVE-2023-32011 | Windows iSCSI Discovery Service Denial of Service Vulnerability | Важная |
| Windows Kernel | CVE-2023-32019 | Windows Kernel Information Disclosure Vulnerability | Важная |
| Windows NTFS | CVE-2023-29346 | NTFS Elevation of Privilege Vulnerability | Важная |
| Windows ODBC Driver | CVE-2023-29373 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Важная |
| Windows OLE | CVE-2023-29367 | iSCSI Target WMI Provider Remote Code Execution Vulnerability | Важная |
| Windows PGM | CVE-2023-29363 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Критическая |
| Windows PGM | CVE-2023-32014 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Критическая |
| Windows PGM | CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Критическая |
| Windows Remote Procedure Call Runtime | CVE-2023-29369 | Remote Procedure Call Runtime Denial of Service Vulnerability | Важная |
| Windows Resilient File System (ReFS) | CVE-2023-32008 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Важная |
| Windows Server Service | CVE-2023-32022 | Windows Server Service Security Feature Bypass Vulnerability | Важная |
| Windows SMB | CVE-2023-32021 | Windows SMB Witness Service Security Feature Bypass Vulnerability | Важная |
| Windows TPM Device Driver | CVE-2023-29360 | Windows TPM Device Driver Elevation of Privilege Vulnerability | Важная |
| Windows Win32K | CVE-2023-29371 | Windows GDI Elevation of Privilege Vulnerability | Важная |
| Windows Win32K | CVE-2023-29359 | GDI Elevation of Privilege Vulnerability | Важная |
