Microsoft's June Patch Tuesday release tackles 49 bugs, one of which is a critical remote-code execution flaw impacting versions of nearly a dozen instances of Windows from Windows 11 to Windows Server 2008.
Tracked as CVE-2024-30080, the lone June critical flaw has a CVSS severity rating of 8.5 out of 10. According to Microsoft, the bug has a low complexity, can be abused remotely by an unauthenticated attacker and requires no user interaction to execute. The bug is is tied to a flaw in the Microsoft Message Queuing (MSMQ) component of Windows, and opens vulnerable systems up to remote malware installation.
Technical details of the flaw, classified as a use-after-free vulnerability, are not being released at this time and there are no reports of the bug being abused in the wild. A use-after-free bug exists when an adversary can abuse a system's unprotected dynamic memory during program operations.
Critical but "Limited" impact
Dustin Childs, security experts at Trend Micro's Zero Day Initiative, said the real-world risk of the flaw is limited as MSMQ is something that needs to be manually enabled and exposed to the open internet.
“This is similar to the ‘QueueJumper’ vulnerability from last year, but it’s not clear how many affected systems are exposed to the internet,” Childs said. “While it is likely a low number, now would be a good time to audit your networks to ensure TCP port 1801 is not reachable.”
In short, this is a serious security hole but it is likely your system is not vulnerable at the moment. This does not mean that you should put off updating, however.
Microsoft tackles dozens more bugs
Meanwhile, there are a number of less-than critical vulnerabilities patched by Microsoft that are serious enough to patch immediately, according to Childs.
Some of those vulnerabilities impact instances of Outlook (CVE-2024-30103) and Dynamics 365 (CVE-2024-35249) and allow for remote code execution. According to Microsoft's details of the bugs, multiple holes in the Windows Kernel permit elevation of privilege attacks where an installed program could be used to take control of a system at the ADMIN level.
Microsoft does not classify these issues as ‘critical’ vulnerabilities because the require user interaction in order for an exploit to take place. In practice, however, that interaction is rather trivial; often something as mundane as opening an email attachment or downloading what you think is a driver update.
In summary, users should update Windows ASAP and administrators should test and deploy updates as a priority. Not to be outdone by Microsoft, Adobe issued its own monthly patch update. The multimedia icon patched 163 different CVE-listed vulnerabilities, though 143 of those were due to a pack of cross-site-scripting vulnerabilities in Experience Manager. Users and admins should also update their Adobe software, though at a
Microsoft advises users to update Windows ASAP and urges administrators to test and deploy updates as a priority.
Adobe's June Patch Tuesday
Not to be outdone by Microsoft, Adobe issued its own monthly patch update. The multimedia icon patched 163 different CVE-listed vulnerabilities, though 143 of those were due to a pack of cross-site-scripting vulnerabilities in Experience Manager. Users and admins should also update their Adobe software, though at a slightly lower priority.
