Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs

Today is Microsoft's June 2024 Patch Tuesday, which includes security updates for 51 flaws, eighteen remote code execution flaws, and one publicly disclosed zero-day vulnerability.

This Patch Tuesday fixed 18 RCE flaws but only one critical vulnerability, a remote code execution vulnerability in Microsoft Message Queuing (MSMQ).

The number of bugs in each vulnerability category is listed below:

• 25 Elevation of Privilege Vulnerabilities
• 18 Remote Code Execution Vulnerabilities
• 3 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities

The total count of 51 flaws does not include 7 Microsoft Edge flaws fixed on June 3rd.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5039212 update and the Windows 10 KB5039211 update.

One publicly disclosed zero-day

This month's Patch Tuesday fixes one publicly disclosed zero-day, with no actively exploited flaw fixed today.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official fix available.

The publicly disclosed zero-day vulnerability is the previously disclosed 'Keytrap' attack in the DNS protocol that Microsoft has now fixed as part of today's updates.

CVE-2023-50868 - MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU

"CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf," reads the Microsoft advisory.

This flaw was previously disclosed in February and patched in numerous DNS implementations, including BIND, PowerDNS, Unbound, Knot Resolver, and Dnsmasq.

Other interesting vulnerabilities fixed this month include multiple Microsoft Office remote code execution flaws, including Microsoft Outlook RCEs that can be exploited from the preview pane.

Microsoft also fixed seven Windows Kernel privilege elevation flaws that could allow a local attacker to gain SYSTEM privileges.

Recent updates from other companies

Other vendors who released updates or advisories in June 2024 include:

• Apple fixed 21 security flaws in the visionOS 1.2 release.
• ARM fixes an actively exploited bug in Mali GPU kernel drivers.
• Cisco released security updates for its Cisco Finesse and Webex.
• Cox fixed an API auth bypass bug that impacted million of modems.
• F5 releases security updates for two high-severity BIG-IP Next Central Manager API flaws.
• PHP fixed a critical RCE flaw that is now actively exploited in ransomware attacks.
• TikTok fixes an exploited zero-day, zero-click flaw in their direct messages feature.
• VMware fixes three zero-day bugs exploited at Pwn2Own 2024.
• Zyxel releases an emergency RCE patch for end-of-life NAS devices

Unfortunately, we will no longer be linking to SAP's Patch Tuesday security updates as they have placed them behind a customer login.

The June 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the June 2024 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.