Microsoft patches six serious security vulnerabilities that were being actively exploited

representational image of a cloud firewall
(Image credit: Pixabay)
Audio player loading…

The June edition of Microsoft (opens in new tab)’s Patch Tuesday includes fixes for around 50 vulnerabilities, including seven zero-days - six of which were being exploited in the wild.

“Two of these zero-days, which Kaspersky (opens in new tab) discovered, were used in conjunction with Google Chrome (opens in new tab) and were at the root of a chain of exploits in highly targeted attacks against multiple companies this past April," security vendor Qualys’ senior manager, vulnerability and threat research, Bharat Jogi told us.

The vulnerabilities ranged from remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.

In its analysis of the patches (opens in new tab), Qualys notes that a majority of the fixes address vulnerabilities in various Adobe products including Acrobat Reader (opens in new tab), Photoshop (opens in new tab), Creative Cloud (opens in new tab) Desktop Application, After Effects (opens in new tab), and more.

The patches also addressed the last of the four vulnerabilities (opens in new tab) that could’ve been exploited to execute malicious code in Microsoft Excel (opens in new tab) and Microsoft Office 365 (opens in new tab).

Measuring vulnerabilities

Some of the cybersecurity (opens in new tab) experts that TechRadar Pro spoke to pointed out that many of the vulnerabilities that were being exploited in the wild had a pretty low Common Vulnerability Scoring System (CVSS) score.

“Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest,” said Immersive Labs’ Director of Cyber Threat Research, Kevin Breen.

Meanwhile, software vendor Ivanti’s Senior Director of Product Management, Chris Goettl, believes the fact that many of the exploited vulnerabilities have lower CVSS scores, can lead to some organizations simply gleaning over them. 

“This brings an important prioritization challenge to the forefront this month — severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware,” suggests Goettl.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.