Microsoft Rectifies 51 Security Flaws Including a Critical MSMQ Vulnerability

June 12, 2024

Microsoft has rolled out security patches to rectify 51 vulnerabilities as part of its June 2024 Patch Tuesday updates. Among these, one is considered critical while the rest are deemed important. This follows the resolution of 17 vulnerabilities in the Chromium-based Edge browser over the previous month. No active exploitation of these security flaws has been reported, but one of them was publicly known at the time of release. This relates to a third-party advisory, CVE-2023-50868, a denial-of-service issue affecting the DNSSEC validation process that could lead to CPU exhaustion on a DNSSEC-validating resolver. This was flagged by the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt in February, along with KeyTrap (CVE-2023-50387).

Tyler Reguly, associate director of Security R&D at Fortra, explained, 'NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence. By proving that a record doesn't exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains.' He further noted that other products besides Microsoft are affected by this protocol level vulnerability, with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to address this issue.

The most critical among the flaws rectified in this update is a remote code execution (RCE) flaw in the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080). To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server, potentially resulting in remote code execution on the server side, according to Microsoft.

Several other RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and multiple privilege escalation flaws in Windows Win32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Files Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082) were also addressed. Morphisec, the cybersecurity firm that discovered CVE-2024-30103, noted that the flaw could trigger code execution without requiring users to interact with the email content. 'This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access,' said security researcher Michael Gorelik. 'Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.'

In addition to Microsoft, other vendors have also issued security updates in recent weeks to fix several vulnerabilities.

Latest News

• Google Addresses Android Zero-Day Exploit on Pixel Devices
• Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day Vulnerability
• JetBrains Issues Warning About IntelliJ IDE Bug That Exposes GitHub Access Tokens
• Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD
• TellYouThePass Ransomware Gang Exploits New PHP RCE Flaw to Infiltrate Servers