Microsoft has rolled out security updates to fix 51 vulnerabilities in its June 2024 Patch Tuesday updates.
Out of these 51 flaws, one has been labeled as Critical while 50 are considered to be Important. These updates come after the resolution of 17 vulnerabilities in the Chromium-based Edge browser in the previous month.
No active exploits of these security flaws have been reported, although one of the vulnerabilities was known publicly prior to the release.
One of the highlighted issues is a third-party advisory identified as CVE-2023-50868 (CVSS score: 7.5), affecting the DNSSEC validation process by causing CPU exhaustion on a DNSSEC-validating resolver due to a denial-of-service flaw.
This particular vulnerability, along with KeyTrap (CVE-2023-50387, CVSS score: 7.5), was initially reported by researchers from the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt back in February.
“NSEC3 is an enhanced iteration of NSEC (Next Secure), offering authenticated denial of existence,” shared Tyler Reguly, associate director of Security R&D at Fortra in a statement. “By demonstrating the absence of a record (with proof of surrounding records), it aids in guarding against DNS Cache poisoning for non-existent domains.”
“Given that this vulnerability operates at the protocol level, it affects not only Microsoft products but also impacts other renowned DNS servers such as bind, powerdns, dnsmasq, and others, which have also released updates to address this issue,” he added.
The most critical flaw addressed in this month’s update is a severe remote code execution (RCE) vulnerability in the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS score: 9.8).
According to Microsoft, “Exploiting this vulnerability necessitates sending a specifically crafted malicious MSMQ packet to an MSMQ server, leading to potential remote code execution on the server.”
Microsoft has also fixed various other RCE vulnerabilities impacting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and multiple privilege escalation flaws in Windows Win32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Files Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082) among others.
Cybersecurity company Morphisec, the discoverer of CVE-2024-30103, warned that this exploit could trigger code execution without the need for user interaction with email content.
“Due to the lack of user interaction required and the simplicity of the exploit, there is an increased chance of threat actors leveraging this vulnerability for initial access,” mentioned security researcher Michael Gorelik disclosed.
“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.”
Software Updates by Different Providers
Aside from Microsoft, other vendors have also released security updates in the past few weeks to fix multiple vulnerabilities, including —
About Author
