Critical but "Limited" impact
Dustin Childs, security expert at Trend Micro’s Zero Day Initiative, emphasized that the real-world risk of the flaw is limited since MSMQ needs to be manually enabled and exposed to the open internet. “This is similar to the ‘QueueJumper’ vulnerability from last year, but it’s not clear how many affected systems are exposed to the internet,” Childs noted. “While it is likely a low number, now would be a good time to audit your networks to ensure TCP port 1801 is not reachable.”
In essence, while this is a serious security hole, it is unlikely that your system is currently vulnerable. However, this does not mean you should delay updating your systems.
Microsoft tackles dozens more bugs
Meanwhile, Microsoft has patched a number of less-than-critical vulnerabilities that are still serious enough to warrant immediate attention. According to Childs, some of these vulnerabilities affect instances of Outlook (CVE-2024-30103) and Dynamics 365 (CVE-2024-35249), allowing for remote code execution. Microsoft's details reveal that multiple holes in the Windows Kernel permit elevation of privilege attacks, where an installed program could be used to take control of a system at the ADMIN level.
Microsoft does not classify these issues as ‘critical’ vulnerabilities because they require user interaction for an exploit to occur. In practice, however, that interaction is rather trivial; often something as mundane as opening an email attachment or downloading what appears to be a driver update.
In summary, users should update Windows as soon as possible, and administrators should prioritize testing and deploying these updates.
Adobe's June Patch Tuesday
Not to be outdone by Microsoft, Adobe issued its own monthly patch update. The multimedia giant patched 163 different CVE-listed vulnerabilities, though 143 of those were due to a pack of cross-site-scripting vulnerabilities in Experience Manager. Users and admins should also update their Adobe software, albeit at a slightly lower priority.
With both Microsoft and Adobe addressing numerous software vulnerabilities this month, it serves as a timely reminder for businesses to stay vigilant and proactive in their cybersecurity efforts.