Microsoft has launched safety updates to handle 51 flaws as a part of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, one is rated Vital and 50 are rated Essential. That is along with 17 vulnerabilities resolved within the Chromium-based Edge browser over the previous month.
Not one of the safety flaws have been actively exploited within the wild, with certainly one of them listed as publicly recognized on the time of the discharge.
This issues a third-party advisory tracked as CVE-2023-50868 (CVSS rating: 7.5), a denial-of-service challenge impacting the DNSSEC validation course of that would trigger CPU exhaustion on a DNSSEC-validating resolver.
It was reported by researchers from the Nationwide Analysis Middle for Utilized Cybersecurity (ATHENE) in Darmstadt again in February, alongside KeyTrap (CVE-2023-50387, CVSS rating: 7.5).
“NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence,” Tyler Reguly, affiliate director of Safety R&D at Fortra, stated in an announcement. “By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains.”
“Since this is a protocol level vulnerability, products other than Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to resolve this issue.”
Essentially the most extreme of the issues fastened on this month’s replace is a vital distant code execution (RCE) flaw within the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS rating: 9.8).
“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server,” Microsoft stated. “This could result in remote code execution on the server side.”
Additionally resolved by Redmond are a number of different RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Home windows Wi-Fi Driver (CVE-2024-30078), and quite a few privilege escalation flaws in Home windows Win32 Kernel Subsystem (CVE-2024-30086), Home windows Cloud Information Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), amongst others.
Cybersecurity agency Morphisec, which found CVE-2024-30103, stated the flaw might be used to set off code execution with out requiring customers to click on or work together with the e-mail content material.
“This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,” safety researcher Michael Gorelik stated.
“Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
