Patch Tuesday Comment: Tenable
Microsoft addressed 49 CVEs in its June 2024 Patch Tuesday release with one rated as critical and no zero-day or publicly disclosed vulnerabilities. Tenableโ€™s counts omitted two CVEs that were not issued by Microsoft, which includeย CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub). Please find below commentary from Satnam Narang, sr. staff research engineer […]
Posted: Wednesday, Jun 12
Patch Tuesday Comment: Tenable

Microsoft addressed 49 CVEs in its June 2024 Patch Tuesday release with one rated as critical and no zero-day or publicly disclosed vulnerabilities. Tenableโ€™s counts omitted two CVEs that were not issued by Microsoft, which includeย CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).

Please find below commentary from Satnam Narang, sr. staff research engineer at Tenable and further analysis in this blog.

โ€œMicrosoft patched 49 CVEs in its June 2024 Patch Tuesday release, another sub-60 CVE release for the second month in a row. This month, Microsoft did not patch any zero-day vulnerabilities exploited in the wild. Typically, Microsoft Patch Tuesday releases skew towards being mostly remote code execution vulnerabilities.

ย โ€œIn 2023, remote code execution flaws accounted for over one-third (35.1%) of all CVEs patched. However, this Patch Tuesday release was dominated by elevation of privilege flaws, accounting for nearly half of the CVEs patched (49%) this month. Microsoft patched CVE-2024-30089, an elevation of privilege flaw in the Microsoft Streaming Service. Like many of the elevation of privilege flaws patched as part of Patch Tuesday, Microsoft labelled this one as โ€œExploitation More Likely.โ€

ย โ€œThese types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system. When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat actors or as part of targeted attacks. This vulnerability was disclosed to Microsoft by the same security researcher that disclosed CVE-2023-36802, another Microsoft Streaming Service elevation of privilege flaw, which was patched in the September 2023 Patch Tuesday. Curiously, that flaw was disclosed by the researcher, but it was Microsoft themselves that noted it as being exploited in the wild. Another Microsoft Streaming Service flaw was patched this month (CVE-2024-30090), but unlike CVE-2024-30089, this one is labeled as โ€œExploitation Less Likelyโ€.โ€ โ€“ Satnam Narang, sr. staff research engineer, Tenable.

 

Share This