News
Microsoft Releases Light Security Update for June
June's monthly security update has arrived and it continues the recent trend of lighter-than-usual totals.
Microsoft's Patch Tuesday arrived with just 51 CVEs and only one bulletin rated "critical." This is the smallest patch total since January's 49-bulletin release.
This month's stand-out item is CVE-2023-50868, a zero-day security vulnerability in the standard DNSSEC protocol. While it does not directly affect a Microsoft product or service, its inclusion in the monthly release is due to the protocol's close relationship with Windows Server. Here's a breakdown of this publicly disclosed flaw.
NSEC3, an enhanced version of NSEC (Next Secure), provides authenticated denial of existence by proving that a record doesn't exist through evidence of the surrounding records. This mechanism helps prevent DNS cache poisoning against non-existent domains. While NSEC allowed for domain name enumeration, NSEC3 prevents this through the introduction of hashing. However, the hashing process at a large scale can be exploited, which could lead to a denial-of-service vulnerability.
While there have not been any attacks targeting this hole seen in the wild, it's only a matter of time, so make it the priority.
Next, IT should turn its attention to the only critical item of the month: CVE-2024-3008. This item addresses a remote code execution vulnerability in Microsoft Message Queuing (MSMQ), which "an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server" to exploit, according to Microsoft.
With Microsoft also recommending users disable MSMQ and designating it a Common Vulnerability Scoring System (CVSS) of 9.8, mass exploitation is very likely, according to Tyler Reguly, Associate Director, Security R&D at global cybersecurity software and services provider Fortra.
"A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3,500 results for 'msmq,'" commented Reguly. "Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future."
The full list of this month's bulletins can be found here.