Yesterday marked Microsoft June 2024 Patch Tuesday, which introduces security updates for 51 flaws, including eighteen remote code execution (RCE) flaws and one publicly disclosed zero-day vulnerability.
Key Fixes in This Update
- Critical Vulnerability: This Patch Tuesday addressed 18 RCE flaws but only one critical vulnerability—a remote code execution vulnerability in Microsoft Message Queuing (MSMQ).
Breakdown of Vulnerabilities
- 25 Elevation of Privilege Vulnerabilities
- 18 Remote Code Execution Vulnerabilities
- 3 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
(Note: The total count of 51 flaws does not include the 7 Microsoft Edge flaws fixed on June 3rd.)
Publicly Disclosed Zero-Day
This month’s Patch Tuesday addresses one publicly disclosed zero-day vulnerability. Notably, no actively exploited flaw was fixed today. Microsoft classifies a zero-day as a flaw that is publicly disclosed or actively exploited without an official fix available.
The publicly disclosed zero-day vulnerability is the previously disclosed ‘Keytrap’ attack in the DNS protocol, which Microsoft has now fixed as part of today’s updates.
- CVE-2023-50868:
- Description: NSEC3, the closest encloser proof, can exhaust CPU.
- Impact: This vulnerability in DNSSEC validation could be exploited by attackers to use excessive resources on a resolver, causing a denial of service for legitimate users.
- History: This flaw was previously disclosed in February and patched in numerous DNS implementations, including BIND, PowerDNS, Unbound, Knot Resolver, and Dnsmasq.
Other Notable Fixes
- Microsoft Office: Multiple remote code execution flaws, including those in Microsoft Outlook, that can be exploited from the preview pane.
- Windows Kernel: Seven privilege elevation flaws that could allow a local attacker to gain SYSTEM privileges.
To access the full description of each vulnerability and the systems it affects, you can view the full report here
Recent Updates from Other Companies
Several other vendors also released updates or advisories in June 2024:
- Apple: Fixed 21 security flaws in the visionOS 1.2 release.
- ARM: Fixed an actively exploited bug in Mali GPU kernel drivers.
- Cisco: Released security updates for Cisco Finesse and Webex.
- Cox: Fixed an API authentication bypass bug affecting millions of modems.
- F5: Released security updates for two high-severity BIG-IP Next Central Manager API flaws.
- PHP: Fixed a critical RCE flaw actively exploited in ransomware attacks.
- TikTok: Fixed an exploited zero-day, zero-click flaw in their direct messages feature.
- VMware: Fixed three zero-day bugs exploited at Pwn2Own 2024.
- Zyxel: Released an emergency RCE patch for end-of-life NAS devices.