No Zero-Days but PGM Flaws Cause Patch Tuesday Concern


System administrators breathed a sigh of relief yesterday after Microsoft issued a relatively light patch update round, with no zero-day vulnerabilities and only six critical CVEs on the list.

However, there was still some work to do. Among the 78 CVEs addressed was a critical SharePoint elevation of privilege bug (CVE-2023-29357), which Adam Barnett, lead software engineer at Rapid7, said organizations should prioritize.

“Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely,” he added.

“At time of writing, the FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, but neither the advisory nor the SharePoint 2016 Release history list any related patches for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency.”

Read more…