Microsoft has launched security updates to handle 51 flaws as a part of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, one is rated Important and 50 are rated Necessary. That is along with 17 vulnerabilities resolved within the Chromium-based Edge browser over the previous month.
Not one of the security flaws have been actively exploited within the wild, with one among them listed as publicly recognized on the time of the discharge.
This issues a third-party advisory tracked as CVE-2023-50868 (CVSS rating: 7.5), a denial-of-service difficulty impacting the DNSSEC validation course of that would trigger CPU exhaustion on a DNSSEC-validating resolver.
It was reported by researchers from the Nationwide Analysis Heart for Utilized Cybersecurity (ATHENE) in Darmstadt again in February, alongside KeyTrap (CVE-2023-50387, CVSS rating: 7.5).
“NSEC3 is an improved model of NSEC (Subsequent Safe) that gives authenticated denial of existence,” Tyler Reguly, affiliate director of Safety R&D at Fortra, stated in a press release. “By proving {that a} document would not exist (with proof of the encircling data), you possibly can assist to forestall towards DNS Cache poisoning towards non-existent domains.”
“Since this can be a protocol stage vulnerability, merchandise apart from Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others additionally releasing updates to resolve this difficulty.”
Probably the most extreme of the failings mounted on this month’s replace is a crucial distant code execution (RCE) flaw within the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS rating: 9.8).
“To use this vulnerability, an attacker would want to ship a specifically crafted malicious MSMQ packet to a MSMQ server,” Microsoft stated. “This might lead to distant code execution on the server facet.”
Additionally resolved by Redmond are a number of different RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Home windows Wi-Fi Driver (CVE-2024-30078), and quite a few privilege escalation flaws in Home windows Win32 Kernel Subsystem (CVE-2024-30086), Home windows Cloud Recordsdata Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), amongst others.
Cybersecurity agency Morphisec, which found CVE-2024-30103, stated the flaw could possibly be used to set off code execution with out requiring customers to click on or work together with the e-mail content material.
“This lack of required person interplay, mixed with the simple nature of the exploit, will increase the chance that adversaries will leverage this vulnerability for preliminary entry,” security researcher Michael Gorelik stated.
“As soon as an attacker efficiently exploits this vulnerability, they’ll execute arbitrary code with the identical privileges because the person, probably resulting in a full system compromise.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —