June 2024 Patch Tuesday forecast: Multiple announcements from Microsoft
June 2024 Patch Tuesday is now live:
Microsoft fixes RCE vulnerabilities in MSMQ, Outlook (CVE-2024-30080, CVE-2024-30103)
May 2024 Patch Tuesday was unusual because we had security updates from Adobe, Apple, Google, Mozilla, and Microsoft on the same day.
While individually from each vendor, the updates weren’t that large, managing them together was more challenging. On the Microsoft front, the only Critical update was for Sharepoint Server, but there were important updates for Windows 11 with 41 CVEs addressed and Windows 10 with 47 CVEs addressed.
Microsoft has been busy this month, providing announcements on both products and technology that are reaching end of support and those that are in early preview.
Windows 10
Windows 10 was in the news this month, and Microsoft made some new announcements. First, Windows 10 21H2 Education and Enterprise editions will reach end-of-life with their final update next week. With no additional security updates, all users are encouraged to update to the latest version of Windows 10 or Windows 11 if their system requirements support it. Windows 11 requires newer security hardware, and many users can’t upgrade. It’s estimated that roughly 50 percent of all Windows users are still running Windows 10.
Second, Microsoft announced they are re-opening the Insiders beta channel after three years for users “to try out new features for Windows 10, version 22H2,” before it is released to all Windows 10 users. But don’t get too excited; the runway is getting short with Windows 10 22H2, the last version, reaching end of support next year on October 14, 2025. After that release, you must subscribe to their ESU program for additional security updates.
NTML
Microsoft also updated their deprecation information on NTLM, VBScript, Cortana, and WordPad. New Technology LAN Manager (NTLM) is an authentication protocol that was introduced in Windows 3.1 and is still used today.
Microsoft has been phasing out NTLM support and introducing Kerberos as a replacement, but announced that no further development on NTLM will be performed. Likewise, they announced that Visual Basic Scripting Language (VBScript), which has been around almost as long as NTLM, will be phased in three steps over the next several years. Both NTLM and VBScript are being replaced in favor of more powerful, and more importantly, more secure options – NTLM with Kerberos, and VBScript with PowerShell or JavaScript.
WordPad, also a Windows staple and from the same era as NTLM, has been deprecated from Windows 11, 24H2. Cortana has been replaced by the AI-powered Copilot as the help utility of choice. So, there you have the names and acronyms you may not hear much about anymore as they are slowly phased out.
Windows 11 24H2
The preview for Windows 11 24H2 hit the Release Preview Channel in late May. Unlike the 23H2 release last year, 24H2 is expected to have some major updates including the controversial, AI-powered Recall feature. This feature, as the name suggests, captures and stores information throughout the normal use of your computer and then you can query it to ‘recall’ an important piece of information you can’t remember. For example, where was that crazy cat picture with the fishing hat?! As you can imagine, there are all kinds of privacy and security concerns with regards to information it is collecting and storing, to name but a few. Microsoft has provided the basic information on managing Recall, but this will continue to be a hot topic on all the forums.
June 2024 Patch Tuesday forecast
- Microsoft has been active with many announcements this month, so expect the same on the patch release cadence. The normal operating system and application updates will be provided including ESUs, and we may see a .NET framework security release as well.
- Adobe released security updates for most of their major products last Patch Tuesday including Acrobat and Reader. Don’t expect another update this month.
- Apple released security updates for all their operating systems as well as their Safari browser last month on Patch Tuesday. Will they continue the trend and move to a Patch Tuesday release schedule? I don’t think so, but we may see a minor set of OS updates later this month.
- Google released an Early Stable Update for Desktop this week to a limited audience, so anticipate the main release coming out Monday or Patch Tuesday.
- Mozilla released their last major security updates for Firefox and Thunderbird last month, so expect another round on Patch Tuesday.
Use Microsoft’s announcements to plan your software deployment strategy, considering both products reaching end of support and those newly introduced. Pay close attention to the Microsoft vulnerabilities addressed this month and see if the Pwn2Own discoveries are credited.