This June’s Patch Tuesday has been relatively calm for system administrators, with Microsoft releasing updates for only 51 vulnerabilities. Out of these, just one was rated as a “critical” vulnerability. Let’s discuss what’s up with Microsoft.
Critical Vulnerability: CVE-2024-30080
The main highlight is a fix for a remote code execution (RCE) flaw in Microsoft Message Queuing (MSMQ), labelled as CVE-2024-30080. This bug has a high CVSS score of 9.8, and Microsoft has flagged it as “more likely” to be exploited.
Tyler Reguly, associate director of security R&D at Fortra, recommends caution. “Microsoft suggests disabling the service until you can install the update,” he said. Reguly pointed out the significant risk, noting that a quick Shodan search reveals over a million hosts with port 1801 open and more than 3,500 results for ‘msmq’. “Given this is a remote code execution flaw, I expect it will soon be included in exploit frameworks.”
DNSSEC Vulnerability Follow-Up: CVE-2023-50868
There’s also an update on an older issue. The zero-day vulnerability disclosed in February, CVE-2023-50868, is a protocol-level bug affecting DNSSEC validation.
This flaw allows attackers to exploit standard DNSSEC protocols, potentially causing a denial of service for legitimate users. Diksha Ojha from Qualys explained that this vulnerability “exists in DNSSEC validation and could let an attacker use excessive resources on a resolver.”
This issue has already been fixed in various DNS implementations like BIND, PowerDNS, and Unbound. However, the timing of Microsoft’s patch has raised questions.
“The advisory today doesn’t explain why this vulnerability wasn’t patched sooner,” said Adam Barnett, lead software engineer at Rapid7. He speculated that Microsoft might have delayed the fix to avoid being the only major server OS vendor without a patch.
Notable Vulnerabilities: CVE-2024-30101 and CVE-2024-30104
Barnett also mentioned two other important vulnerabilities involving “RCE-via-malicious-file.”
– CVE-2024-30101: This flaw affects Outlook. Even though the Preview Pane can be a vector, users must perform specific actions to trigger the vulnerability, and the attacker needs to win a race condition.
– CVE-2024-30104: Unlike the previous one, this vulnerability doesn’t involve the Preview Pane. It simply relies on the user opening a malicious file, leading to a slightly higher CVSS base score of 7.8.
Conclusion
Even though June’s Patch Tuesday might seem less intense with fewer critical updates, addressing these vulnerabilities promptly is crucial. Administrators should prioritise the critical MSMQ RCE flaw and stay alert to other noteworthy issues to maintain strong security. For more insights and updates on Patch Tuesday, keep an eye on the latest news and keep your systems secure.
