Microsoft Patches One Critical and One Zero-Day Vulnerability

System administrators have had a relatively quiet June Patch Tuesday after Microsoft revealed updates for just 51 vulnerabilities, only one of which was rated “critical.”

That bug (CVE-2024-30080) is a remote code execution (RCE) flaw in Microsoft Message Queuing (MSMQ) and has been assigned a CVSS score of 9.8, with exploitation rated as “more likely” by Microsoft.

“Microsoft has recommended disabling the service until a time at which you can install the update,” said Fortra associate director of security R&D, Tyler Reguly.

“A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for ‘msmq.’ Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future.”

Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days in May Patch Tuesday

The zero-day vulnerability, which was made public in February, is a protocol-level bug impacting DNSSEC validation.

“The vulnerability exists in DNSSEC validation that may allow an attacker to exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users,” explained Qualys technical content developer Diksha Ojha.

It has already been patched in various DNS implementations including BIND, PowerDNS and Unbound.

“The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner,” said Rapid7 lead software engineer, Adam Barnett.

“It’s possible that Microsoft does not wish to be the only major server OS vendor without a patch.”

Barnett also pointed to two “RCE-via-malicious-file” vulnerabilities which are worthy of note.

“CVE-2024-30101 is a vulnerability in Outlook. Although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” he explained.

“On the other hand, CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button