Getty Images
Microsoft delivers 51 fixes for June Patch Tuesday
A critical remote-code execution flaw in Windows and a DoS vulnerability affecting DNS in Windows Server top the list of patching priorities for admins.
Microsoft resolved 51 vulnerabilities for a relatively lowkey June Patch Tuesday without any zero-days for admins to fear.
There was just one critical bug and one publicly disclosed vulnerability -- both in the Windows operating system -- that should top the patching priority list for IT operations teams. Microsoft did not republish any older CVEs this month.
Microsoft corrects critical Windows remote-code execution vulnerability
The only critical CVE for June Patch Tuesday is a Microsoft Message Queuing (MSMQ) remote-code execution vulnerability (CVE-2024-30080). It has a CVSS rating of 9.8 -- the highest of all CVEs this month -- and an assessment of "Exploitation More Likely."
MSMQ is an asynchronous messaging feature in Windows used to deliver and read messages from queues. For organizations that cannot patch quickly, Microsoft suggests a mitigation that switches off listening on TCP Port 1801 and disabling the message queuing service.
"That would reduce the exposure to machines that don't even need message queuing. For machines that do, turning it off will probably break something, so admins need to test and roll it out as quickly as they can," said Chris Goettl, vice president of security product management at Ivanti.
Microsoft addresses flaw affecting DNS in Windows Server
Microsoft resolved CVE-2023-50868, a DoS vulnerability rated important for Windows Server. This bug was publicly disclosed and has a CVSS rating of 7.5.
The vulnerability lets attackers flood a DNS server with many requests to overwhelm the server's CPU and disrupt its DNS resolution process. If the DoS attack succeeds, then users will be unable to access websites and online services.
Mitre, a not-for-profit research and development firm, created the record for this vulnerability on Dec. 14, 2023, but publication did not occur until February 2024. Goettl said most vendors who sell network appliances, such as load balancers, and Linux, which runs on many of the world's web servers, corrected this vulnerability in their products in February and March. But it's unclear why it took longer for Microsoft to release a fix.
"This won't be used for ransomware, but it could still be painful for an organization to get hit by an attack like this," Goettl said.
Microsoft patches DHCP server DoS vulnerability
Microsoft corrected a Windows Dynamic Host Configuration Protocol Server DoS flaw (CVE-2024-30070) rated important with a CVSS score of 7.5. Microsoft reported the availability of proof-of-concept code that could be used to disrupt a server set up to automatically assign IP numbers to networked devices.
The server is only vulnerable if it is configured for DHCP and as a failover.
"I would expect this affects a lot of enterprises because redundancy with network and internet connectivity are important," Goettl said.
Five Microsoft Office flaws fixed
Microsoft corrected vulnerabilities in five products related to Microsoft Office:
- Microsoft Office remote-code execution vulnerability (CVE-2024-30104), rated important, CVSS rating of 7.8.
- Microsoft Office remote-code execution vulnerability (CVE-2024-30101), rated important, CVSS rating of 7.5.
- Microsoft Office remote-code execution vulnerability (CVE-2024-30102), rated important, CVSS rating of 7.3.
- Microsoft Outlook remote-code execution vulnerability (CVE-2024-30103), rated important, CVSS rating of 8.8.
- Microsoft SharePoint Server remote-code execution vulnerability (CVE-2024-30100), rated important, CVSS rating of 7.8.
With the highest CVSS rating in the group, the Microsoft Outlook vulnerability could let an attacker avoid the user's blocked senders list and allow them to make malicious DLL files to inflict damage to an organization. Microsoft noted the Outlook preview pane is an attack vector, but the threat actor needs valid Exchange user credentials to exploit the vulnerability.
GitHub elevation-of-privilege CVE affects Visual Studio
Microsoft released updated builds of its Visual Studio product to correct an elevation-of-privilege flaw (CVE-2024-29187) that originated in the Wix Toolset software used by Visual Studio.
Visual Studio customers use the open-source Wix Toolset to build Windows installation packages, such as Microsoft Installer files.
"An authorized attacker must send the user a malicious file and convince the user to open it," Microsoft wrote.
After a successful exploit, the attack could gain system privileges to gain full access to the device's operating system and its services.
Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.