Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024.
Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month.
None of the security flaws have been actively exploited in the wild, with one of them listed as publicly known at the time of the release.
This concerns a third-party advisory tracked as CVE-2023-50868 (CVSS score: 7.5), a denial-of-service issue impacting the DNSSEC validation process that could cause CPU exhaustion on a DNSSEC-validating resolver.
It was reported by researchers from the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt back in February, alongside KeyTrap (CVE-2023-50387, CVSS score: 7.5).
„NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence,“ Tyler Reguly, associate director of Security R&D at Fortra, said in a statement. „By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains.“
„Since this is a protocol level vulnerability, products other than Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to resolve this issue.“
The most severe of the flaws fixed in this month’s update is a critical remote code execution (RCE) flaw in the Microsoft Message Queuing (MSMQ) service (CVE-2024-30080, CVSS score: 9.8).
„To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server,“ Microsoft said. „This could result in remote code execution on the server side.“
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2024/06/microsoft-issues-patches-for-51-flaws.html
Link: https://krebsonsecurity.com/2024/06/patch-tuesday-june-2024-recall-edition/
Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-late-dangerous-dnssec-zero-day-flaw
Link: https://www.securityweek.com/patch-tuesday-remote-code-execution-flaw-in-microsoft-message-queuing/
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202024/31000
Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day
Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day.
The high-severity vulnerability, tagged as CVE-2024-32896, has been described as an elevation of privilege issue in Pixel Firmware.
The company did not share any additional details related to the nature of attacks exploiting it, but noted „there are indications that CVE-2024-32896 may be under limited, targeted exploitation.“
The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets.
Source: The hacker news / Bleeping computer / Securityweek / Android Source
Link: https://thehackernews.com/2024/06/google-warns-of-pixel-firmware-security.html
Link: https://source.android.com/docs/security/bulletin/pixel/2024-06-01
Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
Arm is warning of a security vulnerability impacting Mali GPU Kernel Driver that it said has been actively exploited in the wild.
Tracked as CVE-2024-4610, the use-after-free issue impacts the following products –
- Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0)
- Valhall GPU Kernel Driver (all versions from r34p0 to r40p0)
„A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,“ the company said in an advisory last week.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/06/arm-warns-of-actively-exploited-zero.html
Link: https://www.securityweek.com/arm-warns-of-exploited-kernel-driver-vulnerability/
Adobe Ships Hefty Batch of Security Patches
Software maker Adobe on Tuesday rolled out patches to fix at least 166 vulnerabilities in a wide range of products and issued warnings about the risk of code execution attacks on Windows and macOS platforms.
As part of its scheduled Patch Tuesday updates, the company documented serious security problems in enterprise-facing products, including a hefty patch dump that fixes 144 distinct issues in the Adobe Experience Manager.
“Successful exploitation of these vulnerabilities could result in arbitrary code execution, arbitrary file system read and security feature bypass,” Adobe warned, noting that they affect all platforms.
The company also flagged a major Adobe Commerce, Magento Open Source and Adobe Commerce Webhooks Plugin update that fixes at least 10 critical and important vulnerabilities. “Successful exploitation could lead to arbitrary code execution, security feature bypass and privilege escalation,” Adobe said.
Source: Securityweek / Adobe security bulletin
Link: https://www.securityweek.com/adobe-plugs-code-execution-holes-in-after-effects-illustrator/
Link: https://helpx.adobe.com/security/products/magento/apsb24-40.html
SAP Patches High-Severity Vulnerabilities in Financial Consolidation, NetWeaver
Enterprise software maker SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2024 Security Patch Day.
SAP’s new set of patches includes two high-priority security notes, the most severe of which addresses a cross-site scripting (XSS) bug in Financial Consolidation.
According to application security firm Onapsis, the security note addresses two XSS flaws in SAP’s product, collectively tracked as CVE-2024-37177 (CVSS score of 8.1).
“The more critical one allows data to enter a web application through an untrusted source and manipulating web site content. This causes a high impact on the confidentiality and integrity of the application,” Onapsis explains.
The second high-priority note resolves a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java, tracked as CVE-2024-34688 (CVSS score of 7.5).
Impacting the NetWeaver AS Java’s Meta Model Repository services, the issue exists because access to these services was not restricted, allowing attackers to cause DoS conditions on the application and prevent legitimate users from using it, Onapsis says.
Source: Securityweek