Microsoft has rolled out its latest set of monthly security updates, addressing a total of 143 vulnerabilities. Among these, two have already been exploited in the wild, underscoring the urgency for users to apply these patches.
Critical and Important Fixes
Of the 143 vulnerabilities patched, five are classified as Critical, 136 as Important, and four as Moderate in severity. Additionally, Microsoft has also resolved 33 vulnerabilities in its Chromium-based Edge browser over the past month.
Actively Exploited Vulnerabilities
The two flaws currently being exploited are:
- CVE-2024-38080 (CVSS score: 7.8): A Windows Hyper-V Elevation of Privilege Vulnerability.
- CVE-2024-38112 (CVSS score: 7.5): A Windows MSHTML Platform Spoofing Vulnerability.
CVE-2024-38112: MSHTML Platform Spoofing
According to Microsoft, exploiting CVE-2024-38112 requires an attacker to take specific preparatory actions, such as sending the victim a malicious file to execute. Check Point security researcher Haifei Li, who discovered and reported the flaw in May 2024, explained that attackers use specially-crafted Windows Internet Shortcut files (.URL). These files, when clicked, redirect victims to a malicious URL via the now-retired Internet Explorer (IE) browser.
“An additional trick on IE is used to hide the malicious .HTA extension name,” Li noted. “By opening the URL with IE instead of the more secure Chrome/Edge browser, attackers gain significant advantages in exploiting the victim’s computer, even on modern Windows 10/11 systems.”
Evidence of this attack technique dates back to January 2023, with samples uploaded to the VirusTotal malware scanning platform, indicating that threat actors have been aware of this loophole for over a year and a half.
CVE-2024-38080: Windows Hyper-V Elevation of Privilege
Tenable’s senior staff research engineer, Satnam Narang, highlighted the severity of CVE-2024-38080, an elevation of privilege flaw in Windows Hyper-V. “A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise,” Narang explained. This is the first Hyper-V flaw to be exploited in the wild since 2022.
Publicly Known Vulnerabilities
Two other vulnerabilities patched by Microsoft were publicly known at the time of release:
- CVE-2024-37985 (CVSS score: 5.9): A side-channel attack called FetchBench that could enable an adversary to view heap memory from a privileged process on Arm-based systems.
- CVE-2024-35264 (CVSS score: 8.1): A remote code execution bug affecting .NET and Visual Studio. This flaw could be exploited by closing an HTTP/3 stream while the request body is being processed, leading to a race condition and potential remote code execution.
Additional Security Updates
The Patch Tuesday updates also include fixes for a variety of vulnerabilities:
- 37 remote code execution flaws in the SQL Server Native Client OLE DB Provider.
- 20 Secure Boot security feature bypass vulnerabilities.
- Three PowerShell privilege escalation bugs.
- A spoofing vulnerability in the RADIUS protocol, CVE-2024-3596, also known as BlastRADIUS.
Greg Wiseman, Rapid7’s Lead Product Manager, emphasized the importance of updating not only SQL Server instances but also client code running vulnerable versions of the OLE DB Provider. “An attacker could use social engineering to trick an authenticated user into connecting to a malicious SQL Server database, allowing arbitrary code execution on the client,” Wiseman warned.
Zero-Click Vulnerability in Microsoft Office
Rounding out the list of significant patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office. This vulnerability, reported by Morphisec in April 2024, does not require any authentication and poses a severe risk due to its zero-click nature.
Michael Gorelik of Morphisec highlighted the danger of this flaw: “Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous.”
Cloud-Related Security Vulnerabilities
In a bid to improve transparency, Microsoft announced late last month that it would begin issuing CVE identifiers for cloud-related security vulnerabilities. This move aims to provide better visibility into the security landscape of Microsoft’s cloud services.
Patches from Other Vendors
Alongside Microsoft’s updates, several other vendors have released security patches, addressing numerous vulnerabilities. These vendors include Adobe, Amazon Web Services, AMD, Apple, Arm, Broadcom (including VMware), Cisco, Citrix, CODESYS, D-Link, Dell, Drupal, Emerson, F5, Fortinet, Fortra FileCatalyst Workflow, GitLab, Google (Android, Chrome, Cloud, Pixel, Wear OS), Hitachi Energy, HP, HP Enterprise, IBM, Ivanti, Jenkins, Juniper Networks, Lenovo, Linux distributions (Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, Ubuntu), MediaTek, Mitsubishi Electric, MongoDB, Mozilla (Firefox, Firefox ESR), NETGEAR, NVIDIA, OpenSSH, Progress Software, QNAP, Qualcomm, Rockwell Automation, Samsung, SAP, Schneider Electric, Siemens, Splunk, Spring Framework, TP-Link, Veritas, WordPress, and Zoom.
With such a wide array of patches and updates, users and administrators are urged to apply these fixes promptly to mitigate potential security risks and protect their systems from exploitation.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Another OpenSSH Vulnerability Discovered with Potential RCE (CVE-2024-6409)
Pingback: Palo Alto Networks Releases Patches for Critical Expedition Tool and Radius Protocol Flaw