Microsoft's Patch Tuesday instalment for June 2024 includes patches for 51 vulnerabilities, a decrease from the 61 fixes seen in May. This batch of security updates addresses fewer vulnerabilities compared to the previous month, with only 1 critical, and 1 publicly disclosed flaw patched.
The only critical vulnerability this month affects Microsoft Message Queueing, a messaging protocol that ensures reliable message delivery between applications, even when they are temporarily offline. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. Successful exploitation could allow an unauthenticated attacker and would allow an attacker to execute arbitrary code on the Server. MSMQ is disabled by default and must be enabled for a system to be vulnerable.
This important denial of service vulnerability was the only publicly disclosed flaw this month. The vulnerability affects DNSSEC validation. An attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. An official fix is now available for this flaw and should be applied as soon as possible.
This important vulnerability in Windows Wi-Fi Driver could enable remote code execution if exploited correctly. An unauthenticated attacker could exploit this vulnerability by sending a malicious networking packet to an adjacent system that employs a Wi-Fi networking adapter. Successful exploitation requires the attacker to be within proximity of the target system to send and receive radio transmissions.
Another remote code execution vulnerability, this time in Microsoft Office. Successful exploitation of this flaw requires a user to open a malicious email with an affected version of Microsoft Outlook and then perform specific actions to trigger the vulnerability. The attacker is also required to win a race condition to be successful, making attack complexity high for this flaw. Microsoft has also noted that the preview pane is an attack vector, however additional user interaction is required. An official fix is available for this vulnerability, and should be applied at the earliest opportunity.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.