Today marks Microsoft’s June 2024 Patch Tuesday, featuring security updates that address 51 vulnerabilities, including 18 remote code execution (RCE) flaws and one publicly disclosed zero-day vulnerability.
This Patch Tuesday resolves 18 RCE flaws, with the sole critical vulnerability being a remote code execution issue in Microsoft Message Queuing (MSMQ).
Here's the breakdown of vulnerabilities by category:
25 Elevation of Privilege Vulnerabilities
18 Remote Code Execution Vulnerabilities
3 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
The total of 51 flaws does not account for 7 Microsoft Edge vulnerabilities that were fixed on June 3rd.
For more details on the non-security updates released today, check out our dedicated articles on the new Windows 11 KB5039212 update and the Windows 10 KB5039211 update.
One Publicly Disclosed Zero-Day
This month's updates address one publicly disclosed zero-day vulnerability, with no actively exploited flaws fixed today. Microsoft defines a zero-day as a flaw that has been publicly disclosed or actively exploited without an official fix.
The disclosed zero-day is related to the previously revealed 'Keytrap' attack in the DNS protocol, now fixed as part of today’s updates.
CVE-2023-50868 - MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU
"CVE-2023-50868 involves a vulnerability in DNSSEC validation, where an attacker can exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf," according to the Microsoft advisory.
This flaw was initially disclosed in February and has since been patched in various DNS implementations, including BIND, PowerDNS, Unbound, Knot Resolver, and Dnsmasq.
Other notable vulnerabilities fixed this month include several Microsoft Office remote code execution flaws, including ones in Microsoft Outlook that can be exploited from the preview pane. Additionally, seven Windows Kernel privilege elevation vulnerabilities have been patched, which could allow a local attacker to gain SYSTEM privileges.
Updates from Other Companies
Several other vendors released updates or advisories in June 2024, including:
Apple: Fixed 21 security flaws in the visionOS 1.2 release.
ARM: Addressed an actively exploited bug in Mali GPU kernel drivers.
Cisco: Released security updates for Cisco Finesse and Webex.
Cox: Fixed an API authentication bypass bug affecting millions of modems.
F5: Released updates for two high-severity BIG-IP Next Central Manager API flaws.
PHP: Fixed a critical RCE flaw currently exploited in ransomware attacks.
TikTok: Addressed an exploited zero-day, zero-click flaw in their direct messages feature.
VMware: Fixed three zero-day bugs exploited at Pwn2Own 2024.
Zyxel: Released an emergency RCE patch for end-of-life NAS devices.
Please note that SAP's Patch Tuesday security updates will no longer be linked as they are now behind a customer login.
June 2024 Patch Tuesday Security Updates
Below is the comprehensive list of resolved vulnerabilities in the June 2024 Patch Tuesday updates. For detailed descriptions of each vulnerability and the affected systems, you can view the full report here.
