Microsoft has unveiled security updates to handle 51 flaws as section of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, just one is rated Critical and 50 are rated Crucial. This is in addition to 17 vulnerabilities settled in the Chromium-based mostly Edge browser above the previous month.
None of the security flaws have been actively exploited in the wild, with just one of them stated as publicly recognised at the time of the release.
This fears a third-social gathering advisory tracked as CVE-2023-50868 (CVSS rating: 7.5), a denial-of-company issue impacting the DNSSEC validation system that could induce CPU exhaustion on a DNSSEC-validating resolver.
It was described by scientists from the Nationwide Study Heart for Applied Cybersecurity (ATHENE) in Darmstadt back in February, together with KeyTrap (CVE-2023-50387, CVSS score: 7.5).
“NSEC3 is an improved version of NSEC (Future Secure) that provides authenticated denial of existence,” Tyler Reguly, affiliate director of Security R&D at Fortra, said in a assertion. “By proving that a document would not exist (with proof of the bordering documents), you can assistance to prevent versus DNS Cache poisoning against non-existent domains.”
“Considering the fact that this is a protocol degree vulnerability, merchandise other than Microsoft are influenced with perfectly-known DNS servers like bind, powerdns, dnsmasq, and other folks also releasing updates to resolve this issue.”
The most severe of the flaws fixed in this month’s update is a critical distant code execution (RCE) flaw in the Microsoft Concept Queuing (MSMQ) service (CVE-2024-30080, CVSS score: 9.8).
“To exploit this vulnerability, an attacker would need to send out a specifically crafted malicious MSMQ packet to a MSMQ server,” Microsoft reported. “This could outcome in distant code execution on the server side.”
Also settled by Redmond are quite a few other RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and quite a few privilege escalation flaws in Windows Gain32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Information Mini Filter Driver (CVE-2024-30085), and Gain32k (CVE-2024-30082), among the other people.
Cybersecurity business Morphisec, which uncovered CVE-2024-30103, explained the flaw could be made use of to trigger code execution without necessitating buyers to click or interact with the email information.
“This absence of necessary consumer interaction, mixed with the simple character of the exploit, increases the chance that adversaries will leverage this vulnerability for preliminary obtain,” security researcher Michael Gorelik claimed.
“After an attacker effectively exploits this vulnerability, they can execute arbitrary code with the identical privileges as the consumer, perhaps main to a entire technique compromise.”
Software Patches from Other Distributors
In addition to Microsoft, security updates have also been launched by other sellers over the previous many weeks to rectify several vulnerabilities, which includes —
- Adobe
- Amazon Web Services
- AMD
- Apple visionOS
- Arm
- ASUS
- Atlassian
- AutomationDirect
- Bosch
- Broadcom (like VMware)
- Cisco
- Citrix
- Cox
- D-Link
- Dell
- Drupal
- F5
- Fortinet
- Fortra Tripwire Company
- GitLab
- Google Android
- Google Chrome
- Google Cloud
- Google Use OS
- Hitachi Electricity
- HP
- HP Enterprise
- HP Business Aruba Networks
- IBM
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Crimson Hat,
- SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Mozilla Firefox and Firefox ESR
- NETGEAR
- NVIDIA
- PHP
- Progress Software package
- QNAP
- Qualcomm
- Samsung
- SAP
- Schneider Electrical
- Siemens
- SolarWinds
- Sophos
- Synology
- TP-Link
- Craze Micro
- Veeam
- Veritas
- Zoho ManageEngine ServiceDesk Plus
- Zoom, and
- Zyxel
Uncovered this posting exciting? Follow us on Twitter and LinkedIn to examine a lot more exceptional content material we put up.
Some parts of this article are sourced from:
thehackernews.com