Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint
A relatively quiet month
In Microsoft’s June 2024 Patch Tuesday, the software giant has released fixes for more than 50 security vulnerabilities in Microsoft Windows, Microsoft 365, Visual Studio, Edge, SharePoint and Outlook.
The updates in this relatively quiet month include fixes for 18 remote code execution (RCE) flaws, one of which, a bug in Microsoft Message Queuing (MSMQ), being rated as "critical", since an attacker or malware could exploit the vulnerability remotely to take control of a user's system without any interaction from the user.
Tracked as CVE-2024-30080 (CVSS severity score 9.8 out of 10), the MSMQ flaw could allow attackers to execute code on Windows devices. Kev Breen, senior director of threat research at Immersive Labs, said that while MSMQ (a protocol that allows Windows servers to communicate reliably across different networks, is not switched on by default in Windows), there are still a significant number potentially vulnerable devices that could be exploited.
"A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly," Breen said.
Diksha Ojha, technical content developer at Qualys, said that to exploit this vulnerability, an attacker could send a malicious MSMQ packet to an MSMQ server.
Microsoft patched one zero day bug (MITRE CVE-2023-50868) this month that had been disclosed previously. According to Ojha: "The vulnerability exists in DNSSEC validation that may allow an attacker to exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users."
Seven patches for Windows Kernel privilege elevation flaws were also included in this months updates, and Microsoft also fixed a number of serious security issues with Office applications, including Outlook RCEs that can be exploited from the preview pane.
Adam Barnett, lead software engineer at Rapid7, said: "CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition. CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless has a slightly higher CVSS base score of 7.8, as exploitation relies solely on the user opening a malicious file."
This month also brings a patch for SharePoint RCE CVE-2024-30100. The advisory provides scant detail on its nature or mode of exploitation. Also receiving minimalistic coverage is a privilege escalation vulnerability in Cloud Files Mini Filter Driver CVE-2024-30085, which Breen said should be "high on the list for patching."
In terms of priorities the Windows OS update is the most urgent, said Chris Goettl, VP of security products at Ivanti. "Between the Critical CVE (CVE-2024-30080) and the publicly disclosed CVE (CVE-2023-50868), the most significant risks can be resolved with the OS update."
In addition to the security updates, Microsoft also released non-security updates for Windows 11 and Windows 10. Seven 7 Microsoft Edge flaws were patched on 3rd June.