Cyber Defense Advisors

Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability

Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024.

Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month.

None of the security flaws have been actively exploited in the wild, with one of them listed as publicly known at the time of the release.

This concerns a third-party advisory tracked as CVE-2023-50868 (CVSS score: 7.5), a denial-of-service issue impacting the DNSSEC validation process that could cause CPU exhaustion on a DNSSEC-validating resolver.

It was reported by researchers from the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt back in February, alongside KeyTrap (CVE-2023-50387, CVSS score: 7.5).

“NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence,” Tyler Reguly, associate director of Security R&D at Fortra, said in a statement. “By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains.”

“Since this is a protocol level vulnerability, products other than Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to resolve this issue.”

The most severe of the flaws fixed in this month’s update is a critical remote code execution (RCE) flaw in the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS score: 9.8).

“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server,” Microsoft said. “This could result in remote code execution on the server side.”

Also resolved by Redmond are several other RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and numerous privilege escalation flaws in Windows Win32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Files Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), among others.

Cybersecurity firm Morphisec, which discovered CVE-2024-30103, said the flaw could be used to trigger code execution without requiring users to click or interact with the email content.

“This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,” security researcher Michael Gorelik said.

“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

Adobe
Amazon Web Services
AMD
Apple visionOS
Arm
ASUS
Atlassian
AutomationDirect
Bosch
Broadcom (including VMware)
Cisco
Citrix
Cox
D-Link
Dell
Drupal
F5
Fortinet
Fortra Tripwire Enterprise
GitLab
Google Android
Google Chrome
Google Cloud
Google Wear OS
Hitachi Energy
HP
HP Enterprise
HP Enterprise Aruba Networks
IBM
Ivanti
Jenkins
Juniper Networks
Lenovo
Linux distributions Debian, Oracle Linux, Red Hat,
SUSE, and Ubuntu
MediaTek
Mitsubishi Electric
Mozilla Firefox and Firefox ESR
NETGEAR
NVIDIA
PHP
Progress Software
QNAP
Qualcomm
Samsung
SAP
Schneider Electric
Siemens
SolarWinds
Sophos
Synology
TP-Link
Trend Micro
Veeam
Veritas
Zoho ManageEngine ServiceDesk Plus
Zoom, and
Zyxel

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.