[German]On June 11, 2024, Microsoft released security updates for Windows clients and servers, Office and other products. The security updates fix 51 vulnerabilities (CVEs), including one critical vulnerability. Below is a compact overview of these updates that were released on Patchday.
Notes on the updates
A list of the updates can be found on this Microsoft site. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to fix bugs or new features.
Microsoft Windows 10 21H2 has now reached the End Of Life.
Windows Server 2012 R2
Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted packet to a vulnerable target. Microsoft classifies this vulnerability as "Exploitation More Likely". To make a system vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service called "Message Queueing" is executed on TCP port 1801.
- CVE-2024-30082, CVE-2024-30087, CVE-2024-30091: Win32k Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; It is a vulnerability in Microsoft's Win32k, a core kernel-side driver used in Windows, that allows privilege elevation.
- CVE-2024-30064, CVE-2024-30068, CVE-2024-30088, CVE-2024-30099: EoP vulnerabilities, that affect the Windows kernel. These vulnerabilities are all rated as important. Two of the four vulnerabilities were given a CVSSv3 score of 7.0, while CVE-2024-30064 and CVE-2024-30068 were given a CVSSv3 score of 8.8. Despite the higher CVSS scores, CVE-2024-30064 and CVE-2024-30068 were both rated as "less likely to be exploitable", while the other two vulnerabilities were rated as "more likely to be exploitable". Successful exploitation of these vulnerabilities could lead to an attacker gaining elevated privileges. Microsoft's advisories for CVE-2024-30068, CVE-2024-30088 and CVE-2024-30099 mention that an attacker could gain SYSTEM privileges.
- CVE-2024-30085: A EoP vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was given a CVSSv3 score of 7.8 and classified as important. In addition, Microsoft classifies this vulnerability as "exploit likely". An attacker could exploit this vulnerability as part of post-compromise activities to elevate privileges on SYSTEM.
- CVE-2024-30089: Microsoft Streaming Service Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; This is a vulnerability in the Microsoft Streaming Service. An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges on SYSTEM.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- Azure Data Science Virtual Machines
- Azure File Sync
- Azure Monitor
- Azure SDK
- Azure Storage Library
- Dynamics Business Central
- Microsoft Dynamics
- Microsoft Office
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Streaming Service
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Speech
- Visual Studio
- Windows Cloud Files Mini Filter Driver
- Windows Container Manager Service
- Windows Cryptographic Services
- Windows DHCP Server
- Windows Distributed File System (DFS)
- Windows Event Logging Service
- Windows Kernel
- Windows Kernel-Mode Drivers
- Windows Link Layer Topology Discovery Protocol
- Windows NT OS Kernel
- Windows Perception Service
- Windows Remote Access Connection Manager
- Windows Routing and Remote Access Service (RRAS)
- Windows Server Service
- Windows Standards-Based Storage Management Service
- Windows Storage
- Windows Themes
- Windows Wi-Fi Driver
- Windows Win32 Kernel Subsystem
- Windows Win32K GRFX
- Winlogon
Problem with Microsoft OLE DB Driver for SQL Server 19.2.0.0
German blog reader Christoph W. has contacted me via email and reported that on one of his Windows Server 2019 (German) installation of the following update:
- Security update for Microsoft OLE DB Driver 19 for SQL Server (KB5037573)
has failed – it has only been tested on this server so far. The update installation ends with the error code 0x80070643. The following driver was previously installed on the machine:
- Microsoft OLE DB Driver for SQL Server 19.2.0.0
The manual installation of version 19.3.3.0 via this link helped. The x64 version is available here – thanks to Christoph for the hint.
Similar articles:
Office Updates (June 4, 2024)
Microsoft Security Update Summary (June 11, 2024)
Patchday: Windows 10/Server-Updates (June 11, 2024)
Patchday: Windows 11/Server 2022-Updates (June 11, 2024)
Windows Server 2012 / R2 und Windows 7 (June 11, 2024)
Microsoft Office Updates (June 11, 2024)
On a Windows 11 23H2 Build 22631.3737, the installation (KB5037573) also fails with the error message Installation failure – 0x80070643.
The manual installation also helped.
Can confirm. Just happened here on a Win10 22H2 VM.
Manual installation was successful.