June Patch Tuesday squares up with 49 patches

June’s Patch Tuesday set eases Windows admins gently into summer, as Microsoft on Tuesday released 49 patches touching 7 product families. Windows as usual takes the lion’s share of patches with 34. The rest relate to Azure, 365 Apps for Enterprise, Dynamics 365, Office, Visual Studio, and SharePoint.

At patch time, none of the issues addressed are known to be under exploit in the wild. That said, eleven vulnerabilities in Windows are by the company’s estimation more likely to be exploited in the next 30 days; one of those is the month’s sole critical-severity issue, which we’ll discuss at some length below. Six of this month’s issues are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, the release includes advisory information on seven patches related to the Edge browser, one related to GitHub, one fascinating item from MITRE that affects not just Windows but much of the internet, and two from Adobe. We don’t include advisories in the CVE counts and graphics below, but we provide information on all of them in an appendix at the end of the article, and we will dig into the MITRE advisory below. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

• Total Microsoft CVEs: 49
• Total Edge / Chrome advisory issues covered in update: 7
• Total non-Edge Microsoft advisory issues covered in update: 2
• Total Adobe issues covered in update: 2
• Publicly disclosed: 0*
• Exploited: 0
• Severity
  • Critical: 1
  • Important: 48
• Impact:
  • Elevation of Privilege: 24
  • Remote Code Execution: 18
  • Denial of Service: 4
  • Information Disclosure: 3

* One advisory-only CVE is publicly disclosed; see below

Figure 1: Just four categories of vulnerability are represented in June’s Patch Tuesday batch

Products

• Windows: 34
• Azure: 5
• 365 Apps for Enterprise: 4 (including one shared with Office)
• Dynamics 365: 3
• Office: 3 (shared with 365 Apps for Enterprise)
• Visual Studio: 2
• SharePoint: 1

Figure 2: Windows accounts for two-thirds of June’s patches, as well as the sole Critical-level issue

Notable June updates

In addition to the issues discussed above, a few specific items merit attention.

CVE-2024-30080 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Microsoft has marked 11 CVEs this month as more likely to be exploited within 30 days of Patch Tuesday; this critical-severity RCE – the month’s only critical-class issue — should be considered top of the class. It affects both clients and servers that have enabled the Windows message-queuing service. With that switched on and listening (default port is 1801), an attacker could send a maliciously crafted MSMQ packet to the server and gain RCE. (Yes, Sophos has a detection for this; please see the table immediately below Figure 3.)

CVE-2023-50868 – MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU

This is an advisory-only CVE, issued by MITRE and of concern to the industry at large, not only Microsoft. It covers a publicly disclosed issue with DNSSEC and how it proves the non-existence of a specified zone. (Unfamiliar with the details of DNSSEC, or perplexed as to how an NSEC record can prove a negative? The DNS Institute has a delightfully readable story that explains it.) The bug in question is an important-severity denial-of-service issue; it’s not thought to be under exploit in the wild, but it’s DNS and therefore worth your time.

CVE-2024-37325 – Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability

There is only one vulnerability this month that Microsoft considers critical in severity (CVE-2024-30800, above), but for those who go by CVSS scores, this Azure EoP merits a look – but only if you’re running a version of Linux/Ubuntu Data Science Virtual Machines (DSVM) prior to 24.05.24. If that’s your situation, this 9.8 CVSS bug requires neither privileges nor user interaction; all the attacker need do is send a specially crafted request to the target machine to gain access to authorized users’ credentials. Affected users should read up on the details and get moving.

Figure 3: As we round the curve on calendar year 2024, Information Disclosure vulns pull slightly ahead of Security Feature Bypass issues, but RCE continues to lead the pack

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of June patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (24 CVEs)

Remote Code Execution (18 CVEs)

Denial of Service (4 CVEs)

Information Disclosure (3 CVEs)

Appendix B: Exploitability

This is a list of the June CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE. This month does not address any vulnerabilities already under exploit.

Appendix C: Products Affected

This is a list of June’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (34 CVEs)

Azure (5 CVEs)

365 Apps for Enterprise (4 CVEs)

Dynamics 365 (3 CVEs)

Office (3 CVE)

Visual Studio (2 CVE)

SharePoint (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the June Microsoft release, sorted by product.

Relevant to Edge / Chromium (7 CVEs)

Relevant to GitHub (1 CVE)

Relevant to Visual Studio (non-Microsoft CVE issuer) (1 CVE)

Relevant to Adobe (non-Microsoft release) (2 CVEs)