Microsoft patches six serious security vulnerabilities that were being actively exploited
Many exploited vulnerabilities have a low CVSS score
The June edition of Microsoft’s Patch Tuesday includes fixes for around 50 vulnerabilities, including seven zero-days - six of which were being exploited in the wild.
“Two of these zero-days, which Kaspersky discovered, were used in conjunction with Google Chrome and were at the root of a chain of exploits in highly targeted attacks against multiple companies this past April," security vendor Qualys’ senior manager, vulnerability and threat research, Bharat Jogi told us.
The vulnerabilities ranged from remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.
- These are the best endpoint protection tools
- Here's our choice of the best malware removal software on the market
- Check our list of the best firewall apps and services
In its analysis of the patches, Qualys notes that a majority of the fixes address vulnerabilities in various Adobe products including Acrobat Reader, Photoshop, Creative Cloud Desktop Application, After Effects, and more.
The patches also addressed the last of the four vulnerabilities that could’ve been exploited to execute malicious code in Microsoft Excel and Microsoft Office 365.
Measuring vulnerabilities
Some of the cybersecurity experts that TechRadar Pro spoke to pointed out that many of the vulnerabilities that were being exploited in the wild had a pretty low Common Vulnerability Scoring System (CVSS) score.
“Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest,” said Immersive Labs’ Director of Cyber Threat Research, Kevin Breen.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Meanwhile, software vendor Ivanti’s Senior Director of Product Management, Chris Goettl, believes the fact that many of the exploited vulnerabilities have lower CVSS scores, can lead to some organizations simply gleaning over them.
“This brings an important prioritization challenge to the forefront this month — severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware,” suggests Goettl.
- Protect your devices with these best antivirus software
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.