Microsoft has released patch to address a total of 143 security flaws as part of monthly security updates, two of which have been actively exploited by potential cybercriminals.
All about the flaws fixed by Microsoft in the July patch
Five of the 143 flaws are classified as criticisms136 are classified as Important and four are classified as Moderate in severity; the corrections are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.
The two security vulnerabilities that have been exploited are as follows:
- CVE-2024-38080 (CVSS Score: 7.8) – Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2024-38112 (CVSS Score: 7.5) – Windows MSHTML Platform Spoofing Vulnerability
“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.“, Microsoft said regarding CVE-2024-38112. “An attacker would send the victim a malicious file that the victim would execute.”
Check Point security researcher Haifei Li, who is credited with discovering and reporting the flaw in May 2024, said that cybercriminals are using specially crafted Windows Internet shortcut files (.URLs) that, when clickedredirect victims to a malicious URL by invoking the deprecated Internet Explorer (IE) browser.
Updates aren’t everything: the user must also do his part according to Microsoft
“An additional trick on IE is used to hide the malicious .HTA extension“, has explained There. “By opening the URL with IE instead of the modern and much more secure Chrome/Edge browsers on Windows, the attacker gained significant advantages in exploiting the victim’s computer, even if the computer was running the modern Windows 10/11 operating system..”
“CVE-2024-38080 is an elevation of privilege vulnerability in Windows Hyper-V,” said Satnam Narang, senior research engineer at Tenable. “An authenticated local attacker could exploit this vulnerability to elevate privileges to the SYSTEM level after an initial compromise of the target system..”
While the exact details surrounding the abuse of CVE-2024-38080 are currently unknown, Narang noted that this is the first of 44 Hyper-V flaws to be exploited in the wild since 2022.
The risk of remote code execution through deception
Two other security flaws fixed by Microsoft were listed as publicly known at the time of release; these include a side-channel attack called FetchBench (CVE-2024-37985, CVSS Score: 5.9) which could allow an attacker to view heap memory from a privileged process running on Arm-based systems.
The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug affecting .NET and Visual Studio.
“An attacker could exploit this vulnerability by closing an http/3 stream while the request body is being processed, leading to a race condition.“, Microsoft said in a notice. “This could result in code execution [malevolo] remote.”
Even the servers weren’t safe
Also addressed as part of the Patch Tuesday updates are 37 remote code execution vulnerabilities affecting the SQL Server Native Client OLE DB provider, 20 Secure Boot security feature bypass vulnerabilities, Three PowerShell privilege escalation bugs and a RADIUS protocol spoofing vulnerability (CVE-2024-3596 aka BlastRADIUS).
“[Le falle di SQL Server] specifically affect the OLE DB provider, so not only the SQL Server instances need to be upgraded, but client code running vulnerable versions of the connection driver will also need to be addressed“, said Greg Wiseman, Lead Product Manager at Rapid7 who later remarked: “For example, an attacker could use social engineering tactics to trick an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client..”
Rounding out the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could allow an attacker to gain high administrator privilegesincluding read, write and erase functionality.
Was it possible to attack even without user interaction? According to Microsoft it seems so
Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a serious risk due to its no-click nature.
“Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction.“, said Michael Gorelik. “The lack of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation..”
The fixes come as Microsoft has announced at the end of last month that will begin releasing CVE identifiers for cloud-related security vulnerabilities moving forward in an effort to improve transparency.
Microsoft is not alone, other suppliers are chasing after it
In addition to Microsoft, security updates have also been released by other vendors in recent weeks to patch several vulnerabilities, including:
#Microsoft #releases #July #patch #flaws #fixed
