June 11, 2024

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted Copilot+ PCs, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed Recall, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host Patrick Gray noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2024-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

Kevin Breen, senior director of threat research at Immersive Labs, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its Office applications, including at least two remote-code execution flaws, said Adam Barnett, lead software engineer at Rapid7.

CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for Acrobat, ColdFusion, and Photoshop, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.


20 thoughts on “Patch Tuesday, June 2024 “Recall” Edition

  1. Zarn

    Whoa! Utterly Foolish Recall. I can parse text out of an image using my phone. Voila. The trail of tears.

    Reply
  2. Neverlightmyst

    How long before a uninstall useless spypilot? I do not just want to disable spypilot. I want to completely remove it. Like Madonna from Vegas because she keeps sleeping with the whole hotel staff.

    Reply
  3. Jane Doe

    >Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical”
    Surely you mean CVE-2024-30080 🙂

    Reply
  4. Billgates

    For those who complain but still use Microsoft winBlows why not use a Linux based OS?

    Reply
    1. Catwhisperer

      Because of business reasons only. Or because a given application is only available on Windows. I.e. Microsoft Office Suite. But every other machine, other than the business ones, are Linux, either Ubuntu or Kali. Even a Macbook and an iMac. Apple went the route Microsoft is going now, years ago.

      Reply
  5. IReadTheArticle

    Hey Krebs – Typo in P8. You state ‘CVE-2004-30080’ which should be CVE-2024-30080.

    Reply
  6. crd

    You misidentified CVE-2024-30080 as CVE-2004-30080 in the first reference to it.

    Reply
  7. Tink

    Aside from disabling that feature, are they also deleting any screenshots taken so far? How does the user delete those screenshots?

    How did they justify the use of storage space taking all those screenshots?

    Reply
    1. SeymourB

      My understanding is that the only systems capable of using recall out of the gate were some upcoming ARM-based Surface tablets which had a special AI coprocessor. Normal systems lacked the necessary power at AI operations.

      Though I must admit curiosity to know if the people who wasted $10,000+ on multi-GPU nvidia setups would have had enough AI power. They needed their own nuclear power plant to keep them working, but on paper at least they should have worked.

      Reply
  8. Chris from Earth

    Recall seems like a great way to train your AI replacement and keep an eye on the slaves to boot!

    Reply
  9. Nice IT Man

    Thanks for the article Brian! I think that I get more relivant news from you than all of my other news letters combined. To be fair to Microsoft, they are doing more than simply turning Recall off by default. They are also now requiring Windows Hello with “proof of presence” to decrypt data.

    It’s still a horrible idea, but I sadly don’t think most end users care as long as they have cutting edge toys to play with. On one hand it’s hard to blame Microsoft for reacting to the market, but the idea that this was going to be on by default is inexcusable. Glad they reversed that decision.

    Reply
  10. Nice IT Man

    Thanks for the article Brian! I think that I get more relivant news from you than all of my other news letters combined. To be fair to Microsoft, they are doing more than simply turning Recall off by default. They are also now requiring Windows Hello with “proof of presence” to decrypt data.

    It’s still a horrible idea, but I sadly don’t think most end users care about security or privacy as long as they have cutting edge toys to play with. On one hand it’s hard to blame Microsoft for reacting to the market, but the idea that this was going to be on by default is inexcusable. Glad they reversed that decision.

    Reply
  11. Catwhisperer

    Blissfully, while performing updates my Windows laptop reported that it was not compatible with Windows 11 and then the Microsoft update installer has the chutzpah to tell me to go purchase a new laptop before October 25, 2025. Or else… Do the brainiacs at Microsoft not realize that even a Macbook can install Kali Linux?

    Reply
    1. Fr00tL00ps

      Um, both Ventoy and Rufus will bypass triggers and allow you to freshly install (not the upgrade path) Win 11 on “unsupported devices” utilising your existing product key and have done so for over a year. And, if you enable VT-x and Hyper-V, you can install the Kali WSL package on a Windows machine and many other supported distributions for that matter. What is your point?

      Reply
  12. Ben

    They always start with it ON by default trial balloon to gather info. Later on the switches don’t turn anything off. People need to get off the windows.

    Reply
  13. Steve

    Say you leave Recall disabled. Can’t any hacker who gets into your PC just enable it? You wouldn’t know would you?

    Reply
  14. Kary

    While AI can do some amazing things, particularly in the medical field, the push into everyday life is going too far, IMHO. For example, when I do a Google search I want results posting to source material, material I can then judge for myself as to its accuracy and biases. I don’t want some AI generated answer where I have no idea if it’s based on some random posts off of Reddit.

    That said, I’m having a hard time seeing how Recall involves AI in any form. AI could use the information generated, like it could access and review a swap file, but it doesn’t seem to be AI itself.

    Reply
    1. Fr00tL00ps

      It is in Brian’s second paragraph; Recall is a feature embedded in Copilot+ PCs, an AI-enabled version of Windows.

      What I don’t see in all the commentary Microsofts decision has created, is apart from the obvious privacy concerns, where does Copilot perform its operations? Locally or in the cloud? I don’t imagine generative model functions would perform reasonably well on consumer grade laptops, they would have to be powered by Microsoft servers, therefore Copilot would require a permanent internet connection. I would be more concerned what telemetry data would be identified by Wireshark and the increased bandwidth associated with it.

      Reply
  15. Thomas

    I’m a brain dead self taught programmer. Even I know that an unprotected sqlite database is going to be easy cake for someone to steal. Microsoft thinks it can do anything it wants because they’re a monopoly. And frankly the stuff they pull is absurd

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *