Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows
Patch Tuesday Microsoft kicked off our summer season with a relatively light June Patch Tuesday, releasing updates for 49 CVE-tagged security flaws in its products – including one bug deemed critical, a fairly terrifying one in wireless networking, and one listed as publicly disclosed.
The one that's listed as publicly known, and not yet publicly exploited, is CVE-2023-50868 in Windows Server as well as non-Microsoft software. It's a vulnerability in DNSSEC implementations that we've known about since February; El Reg readers may remember this bug, dubbed NSEC3-encloser, which can be exploited by a remote attacker to potentially exhaust CPU resources on a vulnerable system, causing it to stop working as intended.
"CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users," Redmond declared on Tuesday.
Meanwhile, the one critical flaw announced – CVE-2024-30080 – is a remote code execution (RCE) issue in Microsoft Message Queuing (MSMQ) and is serious enough that it received a 9.8 out of 10 CVSS severity rating. Redmond describes this one as "exploitation more likely."
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951575/VRG_Illo_STK192_L_Normand_LinaKhan_Neutral.jpg)
