2024-06-13
Microsoft Patch Tuesday
On Tuesday, June 11, Microsoft released fixes for more than 50 security issues. One of the flaws, a low, complexity, use-after-free vulnerability in Microsoft Message Queuing (MSMQ) (CVE-2024-30080), is rated critical; all the rest are rated important. Of those, one is a denial-of-service issue in DNSSEC implementations (CVE-2023-50868) that was reported in February. Another of the important issues is a zero-click vulnerability in Outlook that could be exploited to bypass Outlook registry block lists.
Editor's Note
Don't let the small number of vulnerabilities, and the fact that only one is labeled "critical", fool you. The MSMQ issue has a lot of potential. The "no click code execution" in Outlook with be discussed in depth at Defcon, and it is very much possible that an exploit will emerge around that time, if not earlier. The patch for the DNSSEC vulnerability, while only a DoS issue, was long overdue and the issue has been known since February.
Johannes Ullrich
CVE-2024-30080, MSMQ flaw, CVSS score 9.8, can be exploited remotely without any user interaction to execute arbitrary code, and is accessed over port 1801. Make sure that you're not exposing that port to the Internet. CVE-2024-50868, DNSSEC DOS/CPU exhaustion, CVSS score 7.5, aka KEYTRAP, warrants pushing the update to your servers as it impacts not just the Microsoft DNS server.
Lee Neely
Read more in
ISC: Microsoft Patch Tuesday June 2024
Krebs on Security: Patch Tuesday, June 2024 Recall Edition
The Hacker News: Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
SC Magazine: Critical low complexity Windows bug patched; Part of June 2024 Patch Tuesday
Dark Reading: Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw
The Register: Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows
Security Week: Microsoft Patches Zero-Click Outlook Vulnerability That Could Soon Be Exploited