June Patch Tuesday: Microsoft’s June Patchload Features Fixes for 51 Bugs, Including a Zero-Day One

• This week, Microsoft rolled out fixes for 51 vulnerabilities, excluding the seven it fixed earlier this month, for the June 2024 Patch Tuesday.
• Here’s how you can prioritize applying patches.

On Tuesday this week, Microsoft addressed and released fixes for 51 vulnerabilities, including the critical remote code execution flaw in Microsoft Message Queuing (MSMQ). The good news is that just one of the patches released is for a publicly known zero-day exploit.

Moreover, the number of vulnerabilities patched in on June 2024 Patch Tuesday aligns with expectations for the month. Microsoft’s previous June Patch Tuesdays included fixes for 70 vulnerabilities in 2023, 55 bugs in 2022, and 51 security flaws in 2021.

The June patchload is lighter relative to July, as the latter is the last one before one of the most anticipated cybersecurity conferences of the year, Black Hat, takes place.

“Microsoft decided to be kind this Patch Tuesday, releasing 49 Microsoft assigned CVEs and 9 CVEs from other CNAs, for a total of 58 CVEs. Since seven of those CVEs are Chrome CVEs that were published on June 3rd, we’re looking at 51 new CVEs today,” Tyler Reguly, associate director of Security R&D at Fortra, told Spiceworks News & Insights over email.

“A relatively small number that includes most of the regulars – Office, SharePoint, Windows Kernel, and Dynamics – and includes a few unusual faces – Azure Science Virtual Machines (DSVMs) and the Microsoft Authentication Library and Azure Identity Library for several programming languages.”

Here’s a breakdown of the vulnerabilities fixed this Patch Tuesday:

Vulnerability Types Fixed on June Patch Tuesday

Data Sourced From Microsoft

“While most of these items patched are not seeing exploits in the wild, it is important for system administrators and security personnel to make a judicious effort to patch systems as soon as possible after this release,” Tom Marsland, VP of Technology, Cloud Range, and board chairman of VetSec, told Spiceworks News & Insights.

“This patch Tuesday fixed quite a few remote code execution vulnerabilities, however, the vulnerabilities do require local access to the vulnerabilities in question. These attacks could’ve taken the form of tricking users into opening malicious documents, or other forms of social engineering to exploit these systems and applications, which includes SharePoint, Visual Studio, Microsoft Office, and Microsoft Outlook.”

See More: CISA Warns About Command Injection Flaw Affecting Oracle WebLogic Server OS

How to Prioritize Vulnerability Patching

Severity-wise, there are two critical-rated security bugs. However, experts suggest organizations need to prioritize patching the following vulnerabilities:

CVE-2024-30080

CVE-2024-30080Opens a new window is a 9.8-rated vulnerability residing in MSMQ, Microsoft’s communication protocol for Windows computers on different networks. Exploiting this bug, which has a low attack complexity and requires no privileges or user interaction, can enable the attacker to execute arbitrary code remotely when MSMQ is enabled.

So, the prudent thing to do is to prioritize patching, but if admins are unable to do that, disable the service until the patch can be applied. “A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for ‘msmq.’ Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future,” Reguly added.

Mike Walters, president and co-founder of Action1, on CVE-2024-30080: “An attacker could exploit this vulnerability by sending a specially crafted malicious MSMQ packet to a server, potentially resulting in remote code execution on that server. While no exploit code or proof of concept (PoC) for this vulnerability has been verified, the likelihood of exploitation is considered high.”

CVE-2023-50868

CVE-2023-50868Opens a new window is a 7.5-rated denial-of-service flaw in Domain Name System Security Extensions (DNSSEC). It has low attack complexity and requires no user interaction or privileges to be exploited. More importantly, this vulnerability is zero-day, making its proof of concept publicly available.

“One of the vulnerabilities that we should expect everyone to be looking at and talking about is CVE-2023-50868, a DNSSEC protocol-level denial-of-service. Specifically, a CPU Exhaustion related to the Closest Encloser Proof in NSEC3. NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence,” Reguly continued.

“By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains. NSEC would allow for domain name enumeration, which is prevented in NSEC3. This is prevented by introducing hashing and this hashing, which can be caused at a large scale by this vulnerability, is what leads to the denial-of-service vulnerability.”

Non-Microsoft affected with CVE-2023-50868 include bind, powerdns, dnsmasq, and others.

CVE-2024-30078

CVE-2024-30078Opens a new window is a high-rated remote code execution vulnerability in the Windows Wi-Fi driver. It works by sending a malicious networking packet to the target system using a WiFi adapter.

Exploiting CVE-2024-30078 requires the target to be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. “Given its nature, this vulnerability poses a significant risk in endpoint-dense environments, including hotels, trade shows, or anywhere else numerous devices connect to WiFi networks. Attackers can easily target unsuspecting users in these environments, making it critical to understand and mitigate this threat,” Jason Kikta, CISO / SVP of Product at Automox, noted.

“Further, this represents a close access vector that potentially bypasses network-based detections and mitigations. It circumvents most threat modeling, so this is an immediate-patch priority for me. This will generate a high level of interest and I’d expect exploitation tools to be publicly available within days to weeks.”

If patching isn’t immediately possible, Kikta recommends temporarily implementing firewalls and intrusion detection systems.

MORE ON CYBERSECURITY

• Microsoft Warns About Potential Abuse of Azure Service Tags
• Urgent Call To Protect OT Devices as Cyber Attacks Surge, Warns Microsoft
• Atlassian Confluence Users Urged to Patch Critical Security Bug
• April Patch Tuesday: Microsoft Releases Fixes for Two Actively Exploited Flaws
• May Patch Tuesday: Microsoft, Apple, and Google Release Fixes for Actively Exploited Flaws