Microsoft’s July Update Fixes 143 Vulnerabilities, With Two Currently Being Actively Utilized
Microsoft has rolled out updates to fix a total of 143 security vulnerabilities in its latest round of monthly security patches; among these, two vulnerabilities are currently being exploited by threat actors.
Of the 143 vulnerabilities addressed, there are five Critical, 136 Important, and four Moderate severity flaws. Additionally, fixes have been applied to address 33 security vulnerabilities in the Chromium-based Edge browser over the last month.
The two vulnerabilities that are currently being exploited are as follows:
- CVE-2024-38080 (CVSS score: 7.8) – Vulnerability in Windows Hyper-V that allows elevation of privileges.
- CVE-2024-38112 (CVSS score: 7.5) – Vulnerability in Windows MSHTML platform that enables spoofing attacks.
“Exploiting CVE-2024-38112 necessitates attackers to first execute additional steps to prepare the target environment,” according to Microsoft’s statement on the issue. “To exploit this flaw, an attacker must deliver a malicious file to the victim, who then needs to execute it.”
According to Check Point security researcher Haifei Li, who discovered and reported the vulnerability in May 2024, threat actors are using specially crafted Windows Internet Shortcut files (.URL) that, upon clicking, redirect victims to a malicious URL via the retired Internet Explorer (IE) browser.
“On IE, an additional trick is utilized to conceal the harmful .HTA extension name,” Li elaborated. “By opening the URL in IE instead of the more secure Chrome/Edge browser on Windows, the attacker gains significant leverage in compromising the victim’s computer, despite running the modern Windows 10/11 operating system.”
“CVE-2024-38080 is a flaw allowing privilege escalation in Windows Hyper-V,” explained Satnam Narang, senior staff research engineer at Tenable. “An authenticated attacker at a local level could exploit this flaw to elevate privileges to SYSTEM level post an initial compromise of a targeted system.”
While the specifics of the exploitation of CVE-2024-38080 remain undisclosed, Narang highlighted that this is the first among the 44 Hyper-V vulnerabilities exploited in the wild since 2022.
Two other vulnerabilities addressed by Microsoft were already publicly known upon release. One of these is a side-channel attack dubbed FetchBench (CVE-2024-37985, CVSS score: 5.9) that could permit viewing heap memory from a privileged process operating on Arm-based systems.
The second disclosed vulnerability is CVE-2024-35264 (CVSS score: 8.1), a remote code execution vulnerability affecting .NET and Visual Studio.
“An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition,” Redmond explained in an advisory. “This could result in remote code execution.”
In addition to these, Patch Tuesday updates have addressed 37 remote code execution vulnerabilities in the SQL Server Native Client OLE DB Provider, 20 security feature bypass vulnerabilities in Secure Boot, three PowerShell privilege escalation flaws, and a RADIUS protocol spoofing vulnerability (CVE-2024-3596 or BlastRADIUS).
“The SQL Server vulnerabilities predominantly impact the OLE DB Provider, thus not only do SQL Server instances need updating, but client code running on versions of the connection driver susceptible to vulnerabilities also require attention,” noted Rapid7’s Lead Product Manager Greg Wiseman.
“For instance, an attacker could employ social engineering techniques to trick an authenticated user into trying to connect to a SQL Server database configured to return malicious data, thereby enabling arbitrary code execution on the client.”
Another vulnerability patched, CVE-2024-38021 (CVSS score: 8.8), is a remote code execution flaw in Microsoft Office that, if successfully exploited, could grant an attacker elevated privileges, including read, write, and delete access.
Morphisec, which discovered the vulnerability in late April 2024, highlighted that the flaw requires no authentication and poses a significant risk due to its zero-click nature.
“Attackers could leverage this flaw to gain unauthorized access, execute arbitrary code, and cause substantial harm without any user interaction,” stated Michael Gorelik emphasized. “The absence of authentication makes it particularly perilous, opening the door to widespread exploitation.”
These fixes arrive as Microsoft revealed towards the end of the previous month its plans to allocate CVE identifiers for cloud-related security vulnerabilities to enhance transparency.
Updates from Other Software Vendors
Several other vendors, besides Microsoft, have issued security updates in recent weeks to address multiple vulnerabilities, which include —
About Author
