Mammoth Microsoft Patch Tuesday fixes four zero-days, five critical bugs

142 holes plugged this month

Mammoth Microsoft Patch Tuesday fixes four zero-days, five critical bugs

Image:
Mammoth Microsoft Patch Tuesday fixes four zero-days, five critical bugs

After several relatively quiet months, Microsoft's July Patch Tuesday update contains fixes for a mammoth 142 flaws, including four zero-days, two of which have been actively exploited, and five vulnerabilities classified as "critical".

The four zero days

CVE-2024-38080 is an elevation of privilege (EoP) vulnerability affecting Microsoft's Hyper-V virtualisation functionality in Windows 11 and Windows Server, which is being actively exploited.

"For CVE-2024-38080 (CVSS severity score 7.8), a vulnerability in Windows Hyper-V, the impact is enormous since this vulnerability could grant attackers the highest level of system access that could enable the deployment of ransomware and other malicious attacks," said Saeed Abbasi, product manager, vulnerability research at Qualys Threat Research Unit (TRU).

"While Microsoft has not disclosed the extent of active exploitation, the nature of the vulnerability makes it a prime target for attackers. Due to its potential for deep system control, this vulnerability is poised for increased exploitation attempts. The combination of low complexity and no user interaction requirement means it is likely to be rapidly incorporated into exploit kits, leading to widespread exploitation."

Greg Wiseman, product manager at Rapid7, added: "Successful exploitation [of CVE-2024-38080] will give an attacker SYSTEM-level privileges. Only more recent editions of Windows are affected: Windows 11 since version 21H2, and Windows Server 2022 including Server Core."

Microsoft has also fixed a zero-day spoofing flaw in Windows MSHTML Platform (CVE-2024-38112, CVSS 7.5) that allows an attacker to send a malicious file to a user to be executed across the network. This flaw is being actively exploited.

"This vulnerability has been actively seen exploited in the wild, but details from Microsoft are scarce and it's only described as a 'spoofing' vulnerability, which requires social engineering in order to convince a user to execute a delivered file," said Rob Reeves, principal cyber security engineer at Immersive Labs.

Another important update is a fix for CVE-2024-35264 (CVSS 8.1), a publicly disclosed, zero-day remote code execution (RCE) vulnerability affecting Visual Studio 2022 and .Net 8.0. Exploitation of this flaw is described as 'difficult' as it requires race conditions.

The fourth zero-day, CVE-2024-37985 (CVSS 5.9), is a publicly disclosed vulnerability in Windows 11 on Arm-based systems.

"This could allow an attacker to view heap memory from a privileged process. The vulnerability has been publicly disclosed, but no code samples were made available as part of this disclosure," noted Chris Goettl, VP of security products at Ivanti.

Five critical bugs

The five vulnerabilities classified as "critical" (which almost always means they allow remote code execution) by Microsoft are as follows.

CVE-2024-38023 (CVSS 7.2) is a Sharepoint flaw. "An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and craft specialised API requests to trigger deserialisation of file's parameters," Microsoft's advisory says. "This would enable the attacker to perform remote code execution in the context of the SharePoint Server."

CVE-2024-38060 (CVSS 8.8) affects Windows Imaging Component RCE. "This is a flaw in the Windows Imaging Component related to TIFF (Tagged Image File Format) image processing that could allow an attacker to execute arbitrary code on a system," said Wiseman. "The example scenario Microsoft provides is simply of an authenticated attacker uploading a specially crafted TIFF image to a server in order to exploit this."

CVE-2024-38076 (CVSS 9.8) is described as Windows Remote Desktop Licensing Service RCE. Microsoft has provided a mitigation for this flaw, and "strongly" advises admins to install the updates "as soon as possible, even if you plan to leave Remote Desktop Licensing Service disabled."

The two remaining critical bugs also occur in Windows Remote Desktop Licensing Service and are related to CVE-2024-38076, with the same mitigation and recommended action from Microsoft. They are CVE-2024-38074 (CVSS 9.8) and CVE-2024-38074 (CVSS 9.8).

Other fixes

Other notable patches in this month's update include 39 CVEs in Microsoft SQL Server, none of which are critical. No exploits or disclosures have been reported.

There are also patches for third-party software including Adobe, Cisco NX-OS, Citrix Windows Virtual Delivery Agent and Workspace, GhostScript, Fortinet FortiOS, VMware Cloud Director, Firefox, and the OpenSSH "Regression" RCE bug.