tomshardware[.]com/software/windows/windows-security-hole-allows-attackers-to-install-malware-via-wi-fi-new-patch-plugs-gaping-vulnerability
bleepingcomputer[.]com/news/microsoft/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces/
bleepingcomputer[.]com/news/microsoft/windows-10-kb5039211-update-released-with-new-feature-12-fixes/
bleepingcomputer[.]com/news/microsoft/windows-11-kb5039212-update-released-with-37-changes-fixes/
It's too soon for problems to gain enough attention that sites write about them, and I've not made it through updating all of our devices either, so problems there could surface, but I wanted to post about this included fix -- Microsoft doesn't rate it critical, but now that details have been published, it's a Very safe bet that it's being used in exploits as I type this.
An attacker need only be within Wi-Fi range of the computer to send a specially crafted network packet to the target PC and exploit the vulnerability.The Wi-Fi attack bypasses all authentication protocols, does not require prior access rights, and requires no user interaction at all. Because of this, in theory, an attacker could slip malware to Windows users logging into public Wi-Fi networks completely undetected. Such hotspots are common at hotels, airports, and in cafes.
Microsoft considers exploitation of the vulnerability “less likely,” but these announcements often bring bad actors out of the woodwork. The ease with which someone could take advantage of the exploit is also troublesome. The weakness, categorized as an Improper Input Validation security vulnerability, exists on all common versions of Windows.
--------
Today is Microsoft's June 2024 Patch Tuesday, which includes security updates for 51 flaws, eighteen remote code execution flaws, and one publicly disclosed zero-day vulnerability.This Patch Tuesday fixed 18 RCE flaws but only one critical vulnerability, a remote code execution vulnerability in Microsoft Message Queuing (MSMQ).
The number of bugs in each vulnerability category is listed below:
25 Elevation of Privilege Vulnerabilities
18 Remote Code Execution Vulnerabilities
3 Information Disclosure Vulnerabilities
5 Denial of Service VulnerabilitiesThe total count of 51 flaws does not include 7 Microsoft Edge flaws fixed on June 3rd...
This month's Patch Tuesday fixes one publicly disclosed zero-day, with no actively exploited flaw fixed today.
Microsoft classifies a zero-day as a flaw publicly disclosed or actively exploited with no official fix available.
The publicly disclosed zero-day vulnerability is the previously disclosed 'Keytrap' attack in the DNS protocol that Microsoft has now fixed as part of today's updates.
"CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf," reads the Microsoft advisory.
This flaw was previously disclosed in February and patched in numerous DNS implementations, including BIND, PowerDNS, Unbound, Knot Resolver, and Dnsmasq.
Other interesting vulnerabilities fixed this month include multiple Microsoft Office remote code execution flaws, including Microsoft Outlook RCEs that can be exploited from the preview pane.
Microsoft also fixed seven Windows Kernel privilege elevation flaws that could allow a local attacker to gain SYSTEM privileges.