The June edition of Microsoft’s Patch Tuesday includes fixes for around 50 vulnerabilities, including seven zero-days – six of which were being exploited in the wild.
“Two of these zero-days, which Kaspersky discovered, were used in conjunction with Google Chrome and were at the root of a chain of exploits in highly targeted attacks against multiple companies this past April,” security vendor Qualys’ senior manager, vulnerability and threat research, Bharat Jogi told us.
The vulnerabilities ranged from remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.
In its analysis of the patches, Qualys notes that a majority of the fixes address vulnerabilities in various Adobe products including Acrobat Reader, Photoshop, Creative Cloud Desktop Application, After Effects, and more.
The patches also addressed the last of the four vulnerabilities that could’ve been exploited to execute malicious code in Microsoft Excel and Microsoft Office 365.
Measuring vulnerabilities
Some of the cybersecurity experts that TechRadar Pro spoke to pointed out that many of the vulnerabilities that were being exploited in the wild had a pretty low Common Vulnerability Scoring System (CVSS) score.
“Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest,” said Immersive Labs’ Director of Cyber Threat Research, Kevin Breen.
Meanwhile, software vendor Ivanti’s Senior Director of Product Management, Chris Goettl, believes the fact that many of the exploited vulnerabilities have lower CVSS scores, can lead to some organizations simply gleaning over them.
“This brings an important prioritization challenge to the forefront this month — severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware,” suggests Goettl.
