Microsoft releasing updates for 49 CVE-tagged security flaws in its products – including one bug deemed critical, a fairly terrifying one in wireless networking, and one listed as publicly disclosed.

The one that's listed as publicly known, and not yet publicly exploited, is CVE-2023-50868 in Windows Server as well as non-Microsoft software. It's a vulnerability in DNSSEC implementations that we've known about since February.

"CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users," Redmond declared on Tuesday.

Meanwhile, the one critical flaw announced – CVE-2024-30080 – is a remote code execution (RCE) issue in Microsoft Message Queuing (MSMQ) and is serious enough that it received a 9.8 out of 10 CVSS severity rating. Redmond describes this one as "exploitation more likely."

It could allow a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted malicious MSMQ packet to a vulnerable Windows system, such as a Windows Server box.

"That makes this wormable between those servers, but not to systems where MSMQ is disabled," according to Zero Day Initiative's Dustin Childs, who added "it's not clear how many affected systems are exposed to the internet. While it is likely a low number, now would be a good time to audit your networks to ensure TCP port 1801 is not reachable."

Indeed, Microsoft says: "You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine."

There's also the scary-looking CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It's not publicly disclosed, not yet under attack, and exploitation is "less likely," according to Redmond.

"An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution," and thus remotely, silently, and wirelessly run malware or spyware on that nearby victim's computer, Microsoft admitted.

Childs said: "Considering it hits every supported version of Windows; it will likely draw a lot of attention from attackers and red teams alike." Patch as soon as you can: This flaw can be abused to run malicious software on and hijack a nearby Windows PC via their Wi-Fi with no authentication needed. Pretty bad.

On top of this, there are the usual load of elevation of privilege and other code execution holes in Microsoft's code to close with this month's patches.