Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.
June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”
Top of the list on that front is CVE-2023-29357, which is a “critical” bug in Microsoft SharePoint Server that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).
“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”
There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the Windows Pragmatic General Multicast (PGM), which is used for delivering multicast data — such as video streaming or online gaming.
Security firm Action1 says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.
It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using Microsoft Exchange for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.
Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.
“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Scary to think that it could be so easy for attackers to get into theses systems and obtain so much crucial information. Thank you for keeping us up to date with these patches and making us aware!
Microsoft left me behind with my perfect 8.1 pro and all of the costs I incurred with two consecutive very dangerous updates and blithely entered the future with 10 and 11 both of
which have been victim of countless attacks and updates. No apologies EVER – no compensation
EVER and is using every Windows owner as a guinea pig for the future. Why not hold back and try to achieve perfection? This hold on us is grossly unfair.
Have just posted a comment – where is it please?
Apology tendered for the above Brian
Grrr! This latest Windows 10 Update just crashed my Inspiron laptop! It will not boot anymore!
Every month, dozens more security vulnerabilities patched.
So I wonder does this mean there are thousands of vulnerabilities yet to be patched in the months to come? At 70 vulnerabilities in a month … so over the next 10 months, means another 700 vulnerabilities…. or 4,200 vulnerabilities over the next 5 years. Just sitting in windows, waiting to be used, and maybe patched.
I wonder are these vulnerabilities just sitting there waiting to be used by bad actors or are they new vulnerabilities created by constant substandard Windows updates.
Either way it’s just not good.
Kb5012170 it’s back, now with the name of kb5027408. Microsoft need your money
I have my Windows 10 22H2 desktop’s ethernet connection set as a metered connection. Today, when I turned on the monitor it was waiting to restart after downloading and installing an update. Upon checking, there were actually two updates. One was the usual monthly update (KB5027215) and the other was the .NET framework update (KB5027538).
I thought having my network connection set as metered would prevent this. Why didn’t it? I might also add that for the past week or so, it has been automatically downloading and installing the updates for Microsoft Defender Antivirus. I used to go in every day or so and do that manually.
I’m a retired UNIX/Linux sysadmin. I don’t like these things happening out of my control. I like to make sure the updates aren’t causing issues for others first. I tried other ways to prevent this (registry hacks) but only setting the metered connection has ever worked. Now it apparently no longer does.
Thanks for any pointers, and sorry if this is not appropriate here.
Under Windows Update > Advanced Options > Pause Updates, you can pause updates from being installed for up to 35 days. I don’t know if that settings applies to Defender Updates, but those are updated 4-5 times daily I think, so that might be more manual intervention than you’d want to deal with, but you do you!
If you have Windows Pro then do the following in the registry to stop automatic updates. MS AV will still update.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000001
I do not have the “AU” location. What do I do?
If you don’t have the “AU” key you can manually add it by right clicking on “WindowsUpdate” and adding “New” and then “Key”. Name the new key “AU”. Right click on “AU” and add “New” and then “DWORD (32-bit) Value. Name the new DWORD to “NoAutoUpdate” and then double click it and change the value to “1” and hit “OK”.
If you have Win10 Pro Version then you can just change it in “gpedit.msc”. Type “gpedit.msc” in a cmd window. Go to “Computer Configuration” then “Administrative Templates” then “Windows Components” then “Windows Update”. In the right hand window find “Configure Automatic Updates” and double-click it and disable it in the window that opens and hit “OK”.
Whenever you want to protect against auto update …. you run “winupdate.diagcab” first. Select “Hide Update” and then check mark the updates you want to hide from Windows. Hit next and close. Run it again and select “HIdden Updates” and you will see the ones you checked there. Then you can run normal Windows Update manually and it will only update what you haven’t hidden from Windows such as the normal Security updates and so on. Good Luck.
If you don’t have the “AU” key under “WindowsUpdate” then you can add it manually. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Right click on “WindowsUpdate” and select “New” and then “Key”. Rename the new key to “AU”. Right click on the new key “AU” and select “New” and then “DWORD (32-bit) value. In the right hand pane rename the new DWORD to “NoAutoUpdate”. Double click the “NoAutoUpdate” and change the value to “1” and then hit “OK”.
If you have WIN 10 PRO you can do the same thing by opening a cmd window and typing “gpedit.msc” and hit return. In the window that opens select “Computer Configuration”, “Administrative Templates”, “Windows Components”, “Windows Update”. In the right hand pane find “Configure Automatic Updates” and double click that and in the window that opens select “Disabled” and then hit “OK”.
Once you have the automatic update disabled then double click the windows update troubleshooter “winupdate.diagcab” icon on your desktop or wherever you saved it and when the window opens hit next. It will tell you that it is detecting problems. Select “Hide updates” and then it will either tell you there are no updates available to hide or it will list the updates it found and you can select them to hide. Any updates you hide will show up under “Hidden updates” the next time you run the utility. Then you can run normal Windows Update and it will only install what you have not hidden from Windows. You can always go back and un-hide the updates and then run normal Windows Update to install them. Good Luck.
Turn off AutoUpdate in the Win 10 Registry as stated above and then download and use “winupdate.diagcab” to hide updates the same way you were able to with Win 7. Works great …. restores update control to the administrator.
Sir_Timbit- you want the av definition updates as fast as you can. These will not cause an issue, it’s not an application change. Malware creators modify their malware constantly with the goal being undetected within the time frame between these definition updates. Malware gets updates then AV detects this and pushes out updates. Ransomware crews try to do this in than the 4hr update window to beat AV detections and stay ahead.
I’ve been using Mac as my main home computer for years, but I also have an old Win 7 laptop, (disconnected to the internet) to use for an older music editing program. I’ve also used mainly Windows at my work. Just a general question – Why, after all these years, does Windows OS Still have so many problems, needing patches? Why are they still so seemingly more vulnerable than Mac? Shouldn’t they have figured this stuff out by now?
I’d say there are two reasons for this. First, Windows has gotten so complex over the years that no single person at MS knows exactly how everything works. It’s very hard for one developer to make a change in part of the code and know precisely that it won’t affect other areas of code.
Second, they keep introducing new “features” for better or worse. Newer code has been tested less and therefore is more likely to have security bugs introduced. As those problems eventually get fixed, MS moves on to adding some other “feature” and the cycle continues.
@Bruce
From: ‘https://www.openrefactory.com/intelligent-code-repair-icr/
Coralogix[2] the data logging analytics company, has studied the issue of developer productivity and makes the following claims:
…
On average, a developer creates 70 bugs per 1000 lines of code (!)
15 bugs per 1,000 lines of code find their way to the customers
Fixing a bug takes 30 times longer than writing a line of code
75% of a developer’s time is spent on debugging (1500 hours a year!)
In the US alone, $113B is spent annually on identifying & fixing product defects
And from: ‘https://www.androidphonesoft.com/blog/how-many-lines-of-code-is-windows-10/
…a recent estimate put the total number of lines of code in Windows 10 at around 50 million
By those numbers, 750,000 bugs are inflicted on the customers with Windows 10.
(I don’t run Windows unless I absolutely have to.)
(I don’t run Windows unless I absolutely have to.)
According to the CLOC (count lines of code) by Al Danial available on GitHub
Windows 10– 80 million lines of code
Ubuntu– 50 million lines of code
MacOS X– 84 million lines of code
Android– 12 million lines of code
iOS– 12 million lines of code
So you shouldn’t use any system as those bugs are “inflicted on the customers”
I would cite sources but you can just Google it. If the millions of line of code don’t glitch out on you, you can find it.
@John Tillotson
Wow that is scary. Thanks for posting
Am I the only one, or does it bother others that almost everyone uses acronyms and just assumes that the entire English speaking population of the Earth knows what every one of them means?
Why do seemingly well educated people use acronyms without telling their audience what they mean?
Which acronym(s) are confusing?
The only one I see you’ve not disambiguated is CVSS.
Of course simply googling it instantly gives the answer,
but that’s much less fun than “educated” complaining.
I had an AMD EPYC 7282 on a Supermicro H11SSL-i not waking up after june’s Server 2019 updates. IPMI shows none of the CPU sensors info. Kept the 1 TB nvme boot drive untouched. So does anyone know someone at AMD that could do a postmortem on that CPU to figure WTF M$ is up to? I paid good money last summer for a pair of 7282 and never had any AMD Opteron or Epyc get bricked by monthly updates.
Assuming you reported the issue to AMD already before posting…
It’s always been and is always going to be this way. You got stung.
Are all mb/etc firmware/chipset drivers all the way current already?
Virtu layer or bare metal? Try wipe UEFI back to factory spec first?
Clone boot drive to another stick, get to work on a rollback/reinstall.
Keep monthly-cloned boot drive on shelf to alternate with as spare.
(But you know all this, just like you know AMD isn’t going to track this
issue down for you any faster than some random M$dc forum does.)
I tried an Asrock rack EpycD8 mobo and still got no cpu sensor info in the ipmi. replaced the 7282 cpu and was able to restore a backup to a 256GB nvme and booted normally. So it’s definitely the cpu that got bricked. This was a vanilla server 2019 install with a soft raid5 array of 6×18 TB for storing movies and series. Also 4 nvidia RTX A4000 graphics cards for AI experiments with video files. I keep all drivers, firmware and windows up to date. Now feel torn about the windows updates… F*-K M$.
Corrections: looking in eventvwr i found it was after doing may 2023 win server 2019 updates the epyc cpu died.
Also the raid5 array holds 3.7 million ebooks from libgen.rs for AI experiments, not videos.
I have a desktop partitioned between Windows 10 and Ubuntu 20.04 LTS. I keep Windows around for printing and scanning…and just in case Ubuntu goes south. No important files are stored in Windows. I routinely delay Windows updates for several days, to allow Msoft to iron out any wrinkles. This month KB 5027215 kept downloading and then failing to install. I attempted several online-recommended fixes, and none of the succeeded. I was ready to take drastic measures, but then all records of unsuccessful installations disappeared, and Windows stopped trying to install the update. I have a new, ironclad rules for Windows updates: each month create a new restore point. If something goes wrong, it’s possible to revert, and find out if a new attempted install can succeed.