Microsoft has launched security updates to handle 51 flaws as a part of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, one is rated Important and 50 are rated Vital. That is along with 17 vulnerabilities resolved within the Chromium-based Edge browser over the previous month.
Not one of the security flaws have been actively exploited within the wild, with considered one of them listed as publicly recognized on the time of the discharge.
This considerations a third-party advisory tracked as CVE-2023-50868 (CVSS rating: 7.5), a denial-of-service situation impacting the DNSSEC validation course of that would trigger CPU exhaustion on a DNSSEC-validating resolver.
It was reported by researchers from the Nationwide Analysis Heart for Utilized Cybersecurity (ATHENE) in Darmstadt again in February, alongside KeyTrap (CVE-2023-50387, CVSS rating: 7.5).
“NSEC3 is an improved model of NSEC (Subsequent Safe) that gives authenticated denial of existence,” Tyler Reguly, affiliate director of Safety R&D at Fortra, mentioned in an announcement. “By proving {that a} file does not exist (with proof of the encircling data), you may assist to forestall in opposition to DNS Cache poisoning in opposition to non-existent domains.”
“Since this can be a protocol degree vulnerability, merchandise aside from Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others additionally releasing updates to resolve this situation.”
Probably the most extreme of the failings mounted on this month’s replace is a vital distant code execution (RCE) flaw within the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS rating: 9.8).
“To use this vulnerability, an attacker would wish to ship a specifically crafted malicious MSMQ packet to a MSMQ server,” Microsoft mentioned. “This might lead to distant code execution on the server facet.”
Additionally resolved by Redmond are a number of different RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Home windows Wi-Fi Driver (CVE-2024-30078), and quite a few privilege escalation flaws in Home windows Win32 Kernel Subsystem (CVE-2024-30086), Home windows Cloud Information Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), amongst others.
Cybersecurity agency Morphisec, which found CVE-2024-30103, mentioned the flaw might be used to set off code execution with out requiring customers to click on or work together with the e-mail content material.
“This lack of required person interplay, mixed with the simple nature of the exploit, will increase the probability that adversaries will leverage this vulnerability for preliminary entry,” security researcher Michael Gorelik mentioned.
“As soon as an attacker efficiently exploits this vulnerability, they will execute arbitrary code with the identical privileges because the person, doubtlessly resulting in a full system compromise.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
