Why it matters: Compared to the monster update in April, this latest Patch Tuesday release is relatively small, but it contains a critical flaw that Microsoft users need to patch immediately: vulnerable products are open to remote attack by anyone sharing the same public Wi-Fi network. Microsoft has also added a new Explorer feature to its latest beta, making it easier to move files around.
Microsoft's latest Patch Tuesday included updates for 49 CVE-tagged security flaws in its products, including one deemed critical. Microsoft gave it a 9.8 out of 10 CVSS severity rating, and it falls into the category of "exploitation most likely."
The bug is a remote code execution (RCE) issue in Microsoft Message Queuing that could allow a remote attacker to execute arbitrary code by sending a specially crafted malicious MSMQ packet to a vulnerable Windows system, such as a Windows Server box.
It impacts a wide range of systems including Windows 11 and Windows 10, as well as Windows Server 2008 and newer versions.
Like all RCE vulnerabilities, this flaw is dangerous because it allows hackers to compromise susceptible systems without physical access. In this case, attackers need to be connected to the same Wi-Fi network.
The attackers don't need authentication to access settings or files on a vulnerable device, and it can be exploited through low-complexity attacks – namely, all the hackers have to do is send a custom-tailored network packet to a vulnerable device in the Wi-Fi range. As you can imagine, this makes it particularly dangerous for people who like to work from public spaces such as libraries, coffee shops or airports.
Redmond said there's no evidence of the bug being exploited in the wild, a contrast to the two zero-day vulnerabilities (CVE-2024-30040 and CVE-2024-30051) that were patched in May 2024 and were actively exploited. However, malicious actors tend to rush once a vulnerability is published.
Altogether, this was a relatively small patch for Microsoft – according to Zero Day Initiative's Dustin Childs, who notes that the CVE count actually comes to 58 if you include the third-party CVEs also being documented this month.
Microsoft has also launched a Windows 11 Build 26241 beta, which includes a new feature in Explorer that makes it easier to move files around. It allows users to drag-and-drop files between breadcrumbs through the File Explorer Address Bar.
File Explorer has also been updated so it's a little easier to see when you have files or folders selected by adding a thin border to the selected area. The beta also fixed an underlying issue causing File Explorer to crash when going to Home.