Microsoft has released patches to address the total number 143 security flaws as part of monthly security updates, two of which were heavily used in the wild.
Five of the 143 deficiencies were rated “Critical”, 136 – “Important” and four – moderately serious. Corrections in addition to 33 vulnerabilities which have been viewed in the Chromium-based Edge browser over the past month.
Below are the two security flaws that have been exploited –
- CVE-2024-38080 (CVSS Score: 7.8) – Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2024-38112 (CVSS Score: 7.5) – Windows MSHTML platform spoofing vulnerability
“Successful exploitation of this vulnerability requires an attacker to perform additional steps before exploitation to prepare the target environment,” Microsoft said of CVE-2024-38112. “The attacker had to send the victim a malicious file that the victim would have to execute.”
Check Point security researcher Haifei Li, who is credited with discovering and reporting the flaw in May 2024, said threat actors use specially crafted Windows Internet Shortcut (.URL) files that, when clicked, redirect victims to a malicious URL by calling a retired Internet Explorer (IE) browser.
“An additional trick in IE is used to hide the malicious name of the .HTA extension,” Lee said explained. “By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained a significant advantage in exploiting the victim’s computer, even though the computer is running a modern Windows 10/11 operating system.”
“CVE-2024-38080 is an elevation of privilege vulnerability in Windows Hyper-V,” said Satnam Narang, senior research engineer at Tenable. “An authenticated local attacker could use this vulnerability to elevate privileges to the SYSTEM level after an initial compromise of the target system.”
While the exact specifics of the CVE-2024-38080 exploit are currently unknown, Narang noted that it is the first of 44 Hyper-V flaws to be exploited in the wild since 2022.
Two other security flaws fixed by Microsoft were listed as public knowledge at the time of release. This includes a side channel attack called FetchBench (CVE-2024-37985, CVSS Score: 5.9), which could allow an adversary to view heap memory from a privileged process running on Arm-based systems.
The second publicly disclosed vulnerability in question CVE-2024-35264 (CVSS Score: 8.1), a remote code execution bug affecting .NET and Visual Studio.
“An attacker could take advantage of this by shutting down the http/3 stream while processing the request body, leading to a race condition,” Redmond said in the advisory. “This can lead to remote code execution.”
Patch Tuesday also fixes 37 remote code execution vulnerabilities affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot bypass vulnerabilities, three PowerShell privilege escalation bugs, and a RADIUS protocol spoofing vulnerability (CVE-2024-3596 aka BlastRADIUS).
“(The SQL Server vulnerabilities) particularly affect the OLE DB provider, so not only will SQL Server instances need to be updated, but client code that runs vulnerable versions of the connection driver will also need to be addressed,” said Rapid7 Lead Product Manager Greg Wiseman. said.
“For example, an attacker could use social engineering tactics to force an authenticated user to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client.”
Completes a long list of patches CVE-2024-38021 (CVSS Score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could allow an attacker to gain elevated privileges, including read, write, and delete functions.
Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a serious risk due to its no-click nature.
“Aggresives could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause significant damage without user interaction,” Michael Gorelick. said. “The lack of authentication requirements makes this particularly dangerous because it opens the door to widespread exploitation.”
Patches are supplied as Microsoft announced Late last month, it will begin issuing CVE IDs for cloud-related security vulnerabilities in an effort to improve transparency.
Third-party software patches
Apart from Microsoft, other vendors have released security updates over the past few weeks to fix some of the vulnerabilities, including –
