Yesterday, Microsoft released its June security update patching a total of 50 vulnerabilities. Among these, are a dozen critical RCE flaws that affect Windows, as well as its web browsers.
Despite the fact that the vulnerabilities patched this month have not been exploited for malicious purposes, one of them has been publicly disclosed before releasing the latest security patch.
The disclosed security flaw is a use-after-free issue letting hackers execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The vulnerability was reported to Microsoft via Trend Micro’s Zero Day Initiative (ZDI), which revealed some details publicly after its 120-day deadline expired.
Among the critical flaws were CVE-2018-8225, which impacts the Windows DNS component DNSAPI.dll. Hackers can leverage this vulnerability to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system.
CVE-2018-8251 is another critical RCE flaw, which impacts the Windows Media Foundation component. According to Microsoft, hackers can exploit this vulnerability to take complete control of a system by making the targeted user open a malicious web page or file.
A security hole that affects the HTTP Protocol Stack (Http.sys) lets remote code execution by sending a specially crafted packet to the targeted server. Despite being considered as critical, Microsoft believes that the exploitation of the flaw is “less likely.”
The June security patch also resolves a privilege escalation vulnerability which affects the Cortana voice assistant. The flaw was disclosed earlier this year and has been classified as “important” because its exploitation requires physical or console access and the targeted system needs to have Cortana enabled.
In addition to its latest updates, Microsoft released some mitigations for Variant 4 of the Spectre/Meltdown vulnerabilities.