Microsoft patches six serious security vulnerabilities that were being actively exploited

Many exploited vulnerabilities have a low CVSS score

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The June edition ofMicrosoft’s Patch Tuesday includes fixes for around 50 vulnerabilities, including seven zero-days - six of which were being exploited in the wild.

“Two of these zero-days, whichKasperskydiscovered, were used in conjunction withGoogle Chromeand were at the root of a chain of exploits in highly targeted attacks against multiple companies this past April," security vendor Qualys’ senior manager, vulnerability and threat research, Bharat Jogi told us.

The vulnerabilities ranged from remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.

In itsanalysis of the patches, Qualys notes that a majority of the fixes address vulnerabilities in variousAdobeproducts includingAcrobat Reader,Photoshop,Creative CloudDesktop Application,After Effects, and more.

The patches also addressed thelast of the four vulnerabilitiesthat could’ve been exploited to execute malicious code inMicrosoft ExcelandMicrosoft Office 365.

Measuring vulnerabilities

Measuring vulnerabilities

Some of thecybersecurityexperts thatTechRadar Prospoke to pointed out that many of the vulnerabilities that were being exploited in the wild had a pretty low Common Vulnerability Scoring System (CVSS) score.

“Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest,” said Immersive Labs’ Director of Cyber Threat Research, Kevin Breen.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Meanwhile, software vendor Ivanti’s Senior Director of Product Management, Chris Goettl, believes the fact that many of the exploited vulnerabilities have lower CVSS scores, can lead to some organizations simply gleaning over them.

“This brings an important prioritization challenge to the forefront this month — severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware,” suggests Goettl.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

ICYMI: the week’s 7 biggest tech stories from Kindle Colorsoft yellowing woes to our PS5 Pro review