Clear your Microsoft system administrator’s diary: The bundle of fixes in Redmond’s July Patch Tuesday is a doozy, with at least two bugs under active exploitation.
Tuesday’s software updates address more than 130 Microsoft CVEs.
Active Exploits in the Wild
The first of two vulnerabilities for sure under active exploit – CVE-2024-38080 – is a Windows Hyper-V elevation of privilege flaw with a 7.8-out-of-10 CVSS rating, which Microsoft deemed “important.”
We don’t know how widespread exploitation is of this one, though Microsoft does note “an attacker who successfully exploited this vulnerability could gain system privileges.” Plus, as Zero Day Initiative’s Dustin Childs pointed out, this exploit would prove quite useful for ransomware. If you’re running Hyper-V, test and deploy this update.
The second bug listed as having been found and exploited by miscreants before Redmond pushed a patch is a Windows MSHTML platform spoofing vulnerability tracked as CVE-2024-38112. MSHTML (aka Trident) is Microsoft’s proprietary browser engine for Internet Explorer, and this one received a 7.5 CVSS severity score.
It does require user interaction to exploit. As Redmond explained: “An attacker would have to send the victim a malicious file that the victim would have to execute.” Haifei Li with Check Point Research discovered and reported the flaw to Microsoft.
The outcome of its exploitation is vague, though it appears it causes something like information or resources to be exposed to the wrong person. Given the prevalence of successful social engineering attacks of late – and the fact that Microsoft has already detected exploitation of this CVE – we’ve seen time and again that getting users to click malicious links is pretty darn easy. Thus, patch this before your next bad click triggers CVE-2024-38112.
Publicly Disclosed but Not Exploited
The first of two CVE bugs listed as publicly disclosed but not publicly exploited is CVE-2024-35264 – a remote code execution vulnerability in .NET and Visual Studio. To exploit this one, an attacker would need to induce a race condition to allow inappropriate data access. But they could use it to achieve remote code execution (RCE).
According to Redmond: “An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition.” Microsoft’s own Radek Zikmund found this flaw.
The second known but not exploited bug – CVE-2024-37985 – affects Arm-based Redmond operating systems and it garnered a 5.9 CVSS rating. It’s a side-channel attack from 2023 dubbed FetchBench that can be abused to leak secret information.
Five Critical Microsoft CVEs
Of the remaining Microsoft CVEs, five are critical severity and three of those – CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077 – are 9.8-rated RCE bugs in Windows Remote Desktop Licensing Service. Redmond described all three as “exploitation less likely.”
Zero Day Initiative’s Childs’s advice regarding CVE-2024-38077 is that “exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server.”
He recommended making sure these servers aren’t accessible over the internet. “If a bunch of these servers are internet-connected, I would expect exploitation soon,” Childs warned. “Now is also a good time to audit your servers to ensure they aren’t running any unnecessary services.”
The other two critical Microsoft bugs include CVE-2024-38060 – an 8.8-rated RCE in Windows Imaging Component that could be exploited by any authenticated user uploading a malicious TIFF file to a server.
Also of note is CVE-2024-38023 – a 7.2-rated flaw in Microsoft SharePoint Server that can also lead to RCE.
