June Patch Tuesday

Hosted by Chris Goettl and Todd Schell
Patch Tuesday Webinar
Wednesday, June 12, 2024

Copyright © 2024 Ivanti. All rights reserved. 2
Agenda
§ June 2024 Patch Tuesday Overview
§ In the News
§ Bulletins and Releases
§ Between Patch Tuesdays
§ Q & A

Microsoft is taking it easy on us this month. There are
51 CVEs resolved in the June Patch Tuesday update.
We have new releases of Chrome, Edge and Firefox
this Patch Tuesday so update all browsers. While
Adobe did update 167 CVEs across 10 products, they
were all listed as Priority 3 and Adobe Reader was not
in the lineup. Priorities this month are going to be the
browsers and the Windows OS.
For more details check out this month's Patch Tuesday
blog.
June Patch Tuesday 2024

In the News

In the News
§ Windows 11 24H2 is in early preview
§ https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-
preview-channel/
§ They must have had a major problem because they pulled the preview
§ Recall - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
§ Windows 10 21H2 Education and Enterprise editions reached end-of-life this Patch Tuesday
§ https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-
enterprise-education
§ NVIDIA and Arm Urge Customers to Patch Bugs
§ Researchers at the University of Illinois have developed AI Agents that can Autonomously Hack Websites
and Find Zero-Day Vulnerabilities
§ TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

§ CVE-2023-50868 NSEC3 Closest Encloser Proof can Exhaust CPU
§ CVSS 3.1 Scores: 7.5 / 6.5
§ Severity: Important
§ Impact: Denial of Service
§ Affected Systems: Server 2012/2012 R2, Server 2016, Server 2019, and Server 2022
§ Per Mitre – The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276
guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-
1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The
RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.
Publicly Disclosed Vulnerability

CVE-2024-32002
§ CVSS 3: 9.0
§ Flaw in specific git (a revision control system)
versions allows a maliciously configured repository
to trigger code execution during a clone operation.
§ Repositories w/ submodules can be crafted to
exploit a bug in Git whereby it can be fooled into
writing files not into the submodule's worktree but
into a `.git/` directory.
§ A user cloning the code from such a repository
would trigger a hook without any ability to inspect
the code that would execute.
Mitigation
To avoid the problem: disable symlink support for git
with "git config --global core.symlinks false" but
doing so may affect normal git operations.
Updating past affected versions is recommended.
Also, never clone untrusted repositories.
New and Notable Linux Vulnerabilities: 1
Highlighted by TuxCare

CVE-2024-0646
§ CVSS 3: 7.8
§ It was discovered that the TLS subsystem
(Transport Layer Security) in the Linux kernel did
not properly handle spliced messages.
§ This can lead to an out-of-bounds write
vulnerability. A local attacker could use this to
cause a denial of service (system crash) or
possibly execute arbitrary code.
Background
First published in 1999, TLS is a widely adopted
security protocol designed to facilitate privacy and
data security for communications over the Internet.
A primary use case of TLS is encrypting the
communication between web applications and
servers, such as web browsers loading a website.
Mitigation
Updating the kernel is highly recommended.

CVE-2024-1086
§ CVSS 3: 7.8
§ Flaw in Netfilter subsystem of the Linux kernel
that enables local privilege escalation. Can lead
to a double-free vulnerability in the code,
triggering a user-controlled crash.
§ Double free is a memory management flaw that
occurs when a program releases the same
memory block twice using the free() or delete
function.
Impact
Affects Kernel versions 3.15 to 6.8-rc1, and distros
like RHEL, Debian, Ubuntu, and derivatives.
Mitigation
Upgrade your Linux kernel as soon as possible.
We covered this flaw in April, but it’s freshly
significant again because it has been added to
CISA’s known exploited vulnerabilities (malicious
actors are looking for it in your systems).

Microsoft Patch Tuesday Updates of Interest
Azure and Development Tool Updates
§ Azure Data Science Virtual Machines for Linux
§ Azure File Sync v16, v17, and v18
§ Azure Identity Libraries (for .NET, C++, Go, Java, Javascript, Python)
§ Azure Storage Movement Client Library for .NET
§ Azure Monitor Agent
§ Microsoft Authentication Library (MSAL) (for .NET, Java, Node.js, Python)
§ Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
§ Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
§ Microsoft Visual Studio 2022 17.4 – 17.10

Windows 10
and 11 Lifecycle
Awareness
Windows 10 Enterprise and Education
Version Release Date End of Support Date
22H2 10/18/2022 10/14/2025
21H2 11/16/2021 6/11/2024
Windows 10 Home and Pro
22H2 10/18/2022 10/14/2025
Windows 11 Home and Pro
23H2 10/31/2023 11/11/2025
22H2 9/20/2022 10/8/2024
Windows 11 Enterprise and Education
23H2 10/31/2023 11/10/2026
22H2 9/20/2022 10/14/2025
21H2 10/4/2021 10/8/2024
Source: Microsoft
https://docs.microsoft.com/en-us/lifecycle/faq/windows

Server Long-term Servicing Channel Support
Server LTSC Support
Version Editions Release Date Mainstream Support Ends Extended Support Ends
Windows Server 2022 Datacenter and Standard 08/18/2021 10/13/2026 10/14/2031
Windows Server 2019
(Version 1809)
Datacenter, Essentials, and Standard 11/13/2018 01/09/2024 01/09/2029
Windows Server 2016
(Version 1607)
Datacenter, Essentials, and Standard 10/15/2016 01/11/2022 01/11/2027
https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info
§ Focused on server long-term stability
§ Major version releases every 2-3 years
§ 5 years mainstream and 5 years extended support
§ Server core or server with desktop experience available
Source: Microsoft

Patch Content Announcements
Announcements Posted on Community Forum Pages
§ https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
§ Subscribe to receive email for the desired product(s)
Content Info: Endpoint Security
Content Info: Endpoint Manager
Content Info: macOS Updates
Content Info: Linux Updates
Content Info: Patch for Configuration Manager
Content Info: ISEC and Neurons Patch
Content Info: Neurons Patch for InTune

Bulletins and Releases

Copyright © 2024 Ivanti. All rights reserved.
CHROME-240611: Security Update for Chrome Desktop
§ Maximum Severity: Critical
§ Affected Products: Google Chrome
§ Description: The Stable channel has been updated to Chrome 126.0.6478.54 (Linux)
126.0.6478.56/57 (Windows, Mac) which contains 21 security fixes and improvements The
Extended Stable channel has been updated to Chrome 126.0.6478.56/57 (Windows, Mac) . This
update addresses 18 reported vulnerabilities; 9 are rated High.
§ Impact: Remote Code Execution, Security Feature Bypass, Information Disclosure
§ Fixes 18 Vulnerabilities: See https://chromereleases.googleblog.com/2024/06/stable-channel-
update-for-desktop.html for more details.
§ Restart Required: Requires application restart
1

MFSA-2024-25: Security Update Firefox 127
§ Affected Products: Security Update Firefox
§ Description: This update from Mozilla addresses security vulnerabilities in the Firefox browser on
multiple platforms. Fixes 15 vulnerabilities; 4 are rated High.
§ Impact: Remote Code Execution, Denial of Service, Spoofing, Elevation of Privilege, Information
Disclosure
§ Fixes 15 Vulnerabilities: See the Mozilla Security Advisory https://www.mozilla.org/en-
US/security/advisories/mfsa2024-25/ for complete details.
§ Known Issues: None
1

MFSA-2024-26: Security Update Firefox ESR 115.12
§ Affected Products: Security Update Firefox ESR
§ Description: This update from Mozilla addresses security vulnerabilities in the Firefox ESR
browser on multiple platforms. Fixes 8 vulnerabilities; 3 are rated High.
§ Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, Information
Disclosure
§ Fixes 8 Vulnerabilities: See the Mozilla Security Advisory https://www.mozilla.org/en-
US/security/advisories/mfsa2024-26/ for complete details.
§ Known Issues: None
1

MS24-06-W11: Windows 11 Update
§ Affected Products: Microsoft Windows 11 Version 21H2, 22H2, 23H2 and Edge Chromium
§ Description: This bulletin references KB 5039213 (21H2) and KB 5039212 (22H2/23H2). See
KBs for complete details but note that the version of curl.exe that is in Windows is now 8.7.1
§ Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and Information
Disclosure
§ Fixes 28 Vulnerabilities: No CVEs are reported publicly disclosed or known exploited. See the
Security Update Guide for the complete list of CVEs.
§ Restart Required: Requires restart
§ Known Issues: See next slide
1

June Known Issues for Windows 11
§ KB 5039213 – Windows 11 version 21H2, all editions
§ [Prof_Pic] After installing this update, you might be unable to change your user account
profile picture. When attempting to change a profile picture by selecting the button Start>
Settings> Accounts > Your info, and then selecting Choose a file, you might receive an error
message with error code 0x80070520. Workaround: Microsoft is working on a resolution.

MS24-06-W10: Windows 10 Update
§ Affected Products: Microsoft Windows 10 Versions 1607, 1809, 21H2, 22H2, Server 2016,
Server 2019, Server 2022, Server 2022 Datacenter: Azure Edition and Edge Chromium
§ Description: This bulletin references 7 KB articles. See KBs for the list of changes but note that
the version of curl.exe that is in Windows is now 8.7.1.
§ Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and Information
Disclosure
§ Fixes 33 Vulnerabilities: CVE-2023-50868 is reported publicly disclosed. See the Security
Update Guide for the complete list of CVEs.
§ Restart Required: Requires restart
§ Known Issues: See next slide
1

June Known Issues for Windows 10
§ KB 5039211 – Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise,
version 21H2 Windows 10 Enterprise Multi-Session, version 21H2 Windows 10, version 22H2,
all editions
§ [Copilot Not Supported] Copilot in Windows (in preview) is not currently supported when
your taskbar is located vertically on the right or left of your screen. Workaround: To
access Copilot in Windows, make sure your taskbar is positioned horizontally on the top or
bottom of your screen.
§ [Icon Display] Windows devices using more than one (1) monitor might experience issues
with desktop icons moving unexpectedly between monitors or other icon alignment issues
when attempting to use Copilot in Windows (in preview).
§ [Cache] After you install KB5034203 (dated 01/23/2024) or later updates, some Windows
devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC)
nodes in their network might be unable to use those nodes. Instead, these Windows
devices will download updates and apps from the public internet. Workaround: See KB for
configuration options.
§ [Prof_Pic]
§ Microsoft is working on a resolution for all issues.

June Known Issues for Windows 10 (cont)
§ KB 5039227 – Windows Server 2022
§ [Prof_Pic]

§ Maximum Severity: Important
§ Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint Enterprise
Server 2016, and SharePoint Server 2019
§ Description: This security update resolves a Microsoft SharePoint Server remote code execution
vulnerability. This bulletin is based on KB 5002602 (2019), KB 5002603 (sub), and KB 5003604
(2016) articles.
§ Impact: Remote Code Execution
§ Fixes 1 Vulnerability: CVE-2024-30100 is not known to be exploited or publicly disclosed.
§ Known Issues: None reported
MS24-06-SPT: Security Updates for Sharepoint Server
1
2

§ Affected Products: Office Professional Plus 2016, Office Professional 2016, Office Standard
2016, Office Home and Business 2016, and Office Home and Student 2016
§ Description: This security update resolves several Microsoft Outlook remote code execution
vulnerabilities which can be exploited via the Preview Pane. This bulletin references KBs
5002575, 5002591, and 5002600.
§ Fixes 3 Vulnerabilities: CVE-2024-300101, CVE-2024-300103, and CVE-2024-300104 are not
known to be exploited or publicly disclosed.
MS24-06-OFF: Security Updates for Microsoft Office
1
2

§ Affected Products: Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Office LTSC for Mac
2021
§ Description: This month’s update resolves a vulnerability which could allow a remote user to
perform code execution. Information on the security updates is available at
https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates. This
security update resolves several Microsoft Outlook remote code execution vulnerabilities which
can be exploited via the Preview Pane.
§ Fixes 4 Vulnerabilities: CVE-2024-300101, CVE-2024-300102, CVE-2024-300103, and CVE-
2024-300104 are not known to be exploited or publicly disclosed.
MS24-06-O365: Security Updates for Microsoft 365 Apps
1
2

Between
Patch Tuesdays

Windows Release Summary
§ Security Updates (with CVEs): Google Chrome (3), Docker For Windows (1), Foxit PDF Editor (1),
Foxit PDF Editor (Subscription) (1), Foxit PDF Reader Enterprise (1), Opera (1), Python (1), VMware
Workstation Player (1)
§ Security Updates (w/o CVEs): 7-Zip (1), CCleaner (1), ClickShare App Machine-Wide Installer (1),
Cisco Webex Meetings Desktop App (1), Citrix Workspace App (1), Dropbox (1), Evernote (4), Falcon
Sensor for Windows (1), Firefox (1), Foxit PDF Editor (1), Foxit PDF Editor (Subscription) (1), Foxit
PDF Reader Consumer (1), Foxit PDF Reader Enterprise (1), GoodSync (3), Git for Windows (1),
Grammarly for Windows (3), Cisco Jabber (1), LibreOffice (1), Malwarebytes (1), Nitro Pro (1), Nitro
Pro Enterprise (1), Node.JS (LTS Lower) (1), Node.JS (LTS Upper) (1), Notepad++ (1), Opera (3),
PDF24 Creator (1), Screenpresso (1), Skype (1), Slack Machine-Wide Installer (1), Snagit (2), Tableau
Desktop (7), Tableau Prep Builder (1), Tableau Reader (1), Thunderbird (1), TeamViewer (2), Zoom
Client (2), Zoom Rooms Client (2)
§ Non-Security Updates: Bandicut (1), Bitwarden (1), Camtasia (1), Google Drive File Stream (1),
GoodSync (1), GeoGebra Classic (1), Citrix HDX RealTime Media Engine (1), KeePass Pro (1),
Password Safe (2), RingCentral App (Machine-Wide Installer) (2), Rocket.Chat Desktop Client (2),
TightVNC (1), WeCom (2), WinZip (1)

Windows Third Party CVE Information
§ Google Chrome 125.0.6422.77
§ CHROME-240522, QGC1250642277
§ Fixes 4 Vulnerabilities: CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5160
§ CHROME-240523, QGC12506422113
§ Fixes 1 Vulnerability: CVE-2024-5274
§ CHROME-240530, QGC12506422142
§ Fixes 7 Vulnerabilities: CVE-2024-5493, CVE-2024-5494, CVE-2024-5495, CVE-2024-5496, CVE-
2024-5497, CVE-2024-5498, CVE-2024-5499

Windows Third Party CVE Information (cont)
§ Docker For Windows 4.31.0
§ DOCKER-240606, QDOCKER43100
§ Foxit PDF Editor 13.1.2.22442
§ FPDFE-240529, QFPDFE131222442
§ Foxit PDF Editor (Subscription) 2024.2.2.25170
§ FPDFES-240527, QFPDFE202422
§ Foxit PDF Reader Enterprise 2024.2.2.25170
§ FPDFRE-240527, QFPDFRES202422

Windows Third Party CVE Information (cont)
§ Opera 110.0.5130.39
§ OPERA-240524, QOP1100513039
§ Python 3.12.4
§ PYTHN312-240606, QPYTH31241500
§ VMware Workstation Player 17.5.2
§ VMWP17-240521, QVMWP1752

Apple Release Summary
§ Security Updates (with CVEs): Google Chrome (3), Microsoft Edge (3)
§ Security Updates (w/o CVEs): Firefox (1), Microsoft Edge (1), Parallels Desktop (1),
Thunderbird (1), Zoom Client (1)
§ Non-Security Updates: AutoCAD (1), Brave (2), draw.io (3), Dropbox (1), Evernote (4), Figma
(1), Grammarly (7), HandBrake (1), LibreOffice (1), Microsoft Edge (2), OneDrive for Mac (1),
Microsoft Office 2019 Outlook (2), PyCharm Professional (1), Spotify (2), Microsoft Teams (2),
Visual Studio Code (1), Microsoft Office 2019 Word (1)

Apple Third Party CVE Information
§ CHROMEMAC-240521
§ CHROMEMAC-240524
§ CHROMEMAC-240530
§ Fixes 7 Vulnerabilities: CVE-2024-5493, CVE-2024-5494, CVE-2024-5495, CVE-2024-5496, CVE-
2024-5497, CVE-2024-5498, CVE-2024-5499

Apple Third Party CVE Information (cont)
§ Microsoft Edge 124.0.2478.109
§ MEDGEMAC-240517
§ Fixes 5 Vulnerabilities: CVE-2024-30056, CVE-2024-4947, CVE-2024-4948, CVE-2024-4949,
CVE-2024-4950
§ MEDGEMAC-240527
CVE-2024-5274
§ MEDGEMAC-240603
CVE-2024-5497, CVE-2024-5498, CVE-2024-5499

Q & A

Thank You!

June Patch Tuesday

Related slideshows

More Related Content

June Patch Tuesday