Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs (2024)

Today is Microsoft's June 2024 Patch Tuesday, which includes security updates for 51 flaws, eighteen remote code execution flaws,and one publicly disclosed zero-day vulnerability.

This Patch Tuesday fixed 18 RCE flaws but only one critical vulnerability, a remote code execution vulnerability in Microsoft Message Queuing (MSMQ).

The number of bugs in each vulnerability category is listed below:

• 25 Elevation of Privilege Vulnerabilities
• 18 Remote Code Execution Vulnerabilities
• 3 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities

The total count of 51 flaws does not include 7Microsoft Edge flaws fixed on June3rd.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5039212 update and the Windows 10 KB5039211 update.

One publicly disclosed zero-day

This month's Patch Tuesday fixes one publicly disclosed zero-day, with no actively exploited flaw fixed today.

Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official fixavailable.

The publicly disclosed zero-day vulnerability is thepreviously disclosed 'Keytrap' attack in the DNS protocolthat Microsoft has now fixed as part of today's updates.

CVE-2023-50868 - MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU

"CVE-2023-50868is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf," reads the Microsoft advisory.

This flaw was previously disclosed in February and patched in numerous DNS implementations, including BIND, PowerDNS, Unbound, Knot Resolver, and Dnsmasq.

Other interesting vulnerabilities fixed this month include multiple Microsoft Office remote code execution flaws, including Microsoft Outlook RCEs that can be exploited from the preview pane.

Microsoft also fixed seven Windows Kernel privilege elevationflaws that could allow a local attacker to gain SYSTEM privileges.

Recent updates from other companies

Other vendors who released updates or advisories in June 2024 include:

• Apple fixed 21 security flaws in thevisionOS 1.2release.
• ARM fixes an actively exploited bug inMali GPU kernel drivers.
• Ciscoreleased security updatesfor its Cisco Finesse and Webex.
• Cox fixed an API auth bypass bugthat impacted million of modems.
• F5releasessecurity updatesfor two high-severityBIG-IP Next Central Manager API flaws.
• PHPfixed a critical RCE flaw that is now actively exploited in ransomware attacks.
• TikTok fixes an exploitedzero-day, zero-click flaw in their direct messages feature.
• VMwarefixes three zero-day bugsexploited at Pwn2Own 2024.
• Zyxel releases an emergency RCE patch for end-of-life NAS devices

Unfortunately, we will no longer be linking to SAP's Patch Tuesday security updates as they have placed them behind a customer login.

The June 2024Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the June 2024 Patch Tuesday updates.

Toaccess the full description of each vulnerability and the systemsit affects, you can view thefull report here.