Security operations · 2 MIN READ · MATT JASTRAM · JUN 12, 2024 · TAGS: MDR / vulnerability prioritization
This Patch Tuesday includes 53 published CVEs from Microsoft.
The June 2024 edition of Patch Tuesday is live, and our team reviewed the released patches (so you don’t have to). Here are our top takeaways.
First, it’s essential to point out that since starting this blog series in March, actual ‘in the wild’ exploits are only 5% of the released CVEs. This helps illustrate that while a lot of vulnerabilities are assigned CVEs, not all vulnerabilities are interesting and abused by attackers. The following table tracks the number of vulnerabilities identified by month, how many have since been observed exploited, and Microsoft’s analysis of how many of the vulnerabilities were more, or less, likely to be exploited.
| Month | CVEs | % In the wild exploit evidence | % Exploit more likely | % Exploit less likely |
| March | 60 | 8% | 12% | 88% |
| April | 149 | 2% | 10% | 90% |
| May | 67 | 6% | 20% | 80% |
| June | 53 | 0% | 22% | 78% |
| Total | 329 | 5% | 15% | 85% |
Microsoft
Microsoft’s June patch release was a 21% reduction in CVEs from the previous month, continuing the downward trend since April’s massive number (149). Perhaps it was due to the Microsoft Windows AI Recall chatter, which is now ‘off by default.’ (I’d trust, but definitely verify!)
Regarding exploit risk, there is very limited evidence threat actors have exploited these vulnerabilities in the wild, so here’s a breakdown by attack type:
- Remote Code Execution (RCE): Although there were only 18 CVEs with this threat type, RCEs resulted in 373 patches across 75 product releases. Server versions require the most patches at 196, including: Windows 2008 with 96 (ironically EOL) , 2012 (26), 2016 (17), 2019 (17), and 2022 (40). Due to their functionality, servers are often externally facing which introduces risk when they are not patched. We regularly see MDR customers with external-facing assets excessively scanned and prodded to gather intel on weaknesses, and some exploitation attempts!
- Elevation-of-Privilege (EoP): This threat type accounted for 25 CVEs, resulting in 603 patches across Microsoft’s products. Attackers are constantly exploring ways to gain and elevate their access once in a network. Patching these vulnerabilities is still important even though Microsoft only gives them a rating of “important”.
- Denial-of-Service (DoS): Microsoft identified five CVEs in this category, which resulted in 64 patches across 31 of its products. Forty-four of these included Microsoft Server versions from 2012-2022. If your business is concerned about this attack type, we recommend rolling out remediation in your next patching cycle.
- Information Disclosure: This category included three CVEs, which were remediated with 51 patches across 27 products. The title “information disclosure” is deceptively simple, but this class of vulnerability can be used to expose arbitrary data, such as passwords.
That’s it for this month. If you have any questions about these specific vulnerabilities (and others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—feel free to get in touch.
