Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month.
None of the security flaws have been actively exploited in the wild, with one of them listed as publicly known at the time of the release.
This concerns a third-party advisory tracked as CVE-2023-50868 (CVSS score: 7.5), a denial-of-service issue impacting the DNSSEC validation process that could cause CPU exhaustion on a DNSSEC-validating resolver.
It was reported by researchers from the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt back in February, alongside KeyTrap (CVE-2023-50387, CVSS score: 7.5).
“NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence,” Tyler Reguly, associate director of Security R&D at Fortra, said in a statement. “By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains.”
“Since this is a protocol level vulnerability, products other than Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to resolve this issue.”
The most severe of the flaws fixed in this month’s update is a critical remote code execution (RCE) flaw in the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS score: 9.8).
“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server,” Microsoft said. “This could result in remote code execution on the server side.”
Also resolved by Redmond are several other RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and numerous privilege escalation flaws in Windows Win32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Files Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), among others.
Cybersecurity firm Morphisec, which discovered CVE-2024-30103, said the flaw could be used to trigger code execution without requiring users to click or interact with the email content.
“This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,” security researcher Michael Gorelik said.
“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.”
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —