Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild.

Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.

The two security shortcomings that have come under exploitation are below -

• CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability
• CVE-2024-38112 (CVSS score: 7.5) - Windows MSHTML Platform Spoofing Vulnerability

“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment,” Microsoft said of CVE-2024-38112. “An attacker would have to send the victim a malicious file that the victim would have to execute.”

Check Point security researcher Haifei Li, who has been credited with discovering and reporting the flaw in May 2024, said that threat actors are leveraging specially-crafted Windows Internet Shortcut files (.URL) that, upon clicking, redirect victims to a malicious URL by invoking the retired Internet Explorer (IE) browser.

“An additional trick on IE is used to hide the malicious .HTA extension name,” Li explained. “By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

Artifacts employing the attack technique have been uploaded to the VirusTotal malware scanning platform as early as January 2023, indicating that threat actors have been aware of the loophole for over 1.5 years.

Check Point told The Hacker News that it observed the .URL samples being used to deliver an information stealer named Atlantida, which was documented by Rapid7 earlier this year as malware that enables the theft of login credentials, cryptocurrency wallets data, information stored in web browsers, screen captures, and hardware data.

The stealer malware campaign, which primarily singled out users in Turkey and Vietnam in mid-May 2024, is said to have abused compromised WordPress sites to launch attacks through HTML Application (.HTA) and PowerShell files to deliver Atlántida onto victim hosts.

Preliminary findings from Check Point suggest that at least two likely disparate threat groups are exploiting CVE-2024-38112 in concurrent campaigns as part of what’s suspected to be a financially motivated operation.

“We saw a chipset manufacturer company and a company that develops products for a better develop design [being targeted],” the company said. “Both are hi-tech companies, which could suggest a supply chain attack or interest in the product.”

“CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V,” Satnam Narang, senior staff research engineer at Tenable, said. “A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system.”

While the exact specifics surrounding the abuse of CVE-2024-38080 is currently unknown, Narang noted that this is the first of the 44 Hyper-V flaws to come under exploitation in the wild since 2022.

Two other security flaws patched by Microsoft have been listed as publicly known at the time of the release. This includes a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could enable an adversary to view heap memory from a privileged process running on Arm-based systems.

The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug impacting .NET and Visual Studio.

“An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition,” Redmond said in an advisory. “This could result in remote code execution.”

Also resolved as part of Patch Tuesday updates are 37 remote code execution flaws affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot security feature bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).

“[The SQL Server flaws] specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed,” Rapid7’s Lead Product Manager Greg Wiseman said.

“For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client.”

Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality.

Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a severe risk due to its zero-click nature.

“Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction,” Michael Gorelik said. “The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”

The fixes come as Microsoft announced late last month that it will begin issuing CVE identifiers for cloud-related security vulnerabilities going forward in an attempt to improve transparency.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors in the past few weeks to rectify several vulnerabilities, including —

• Adobe
• Amazon Web Services
• AMD
• Apple
• Arm
• Broadcom (including VMware)
• Cisco
• Citrix
• CODESYS
• D-Link
• Dell
• Drupal
• Emerson
• F5
• Fortinet
• Fortra FileCatalyst Workflow
• GitLab
• Google Android
• Google Chrome
• Google Cloud
• Google Pixel
• Google Wear OS
• Hitachi Energy
• HP
• HP Enterprise
• IBM
• Ivanti
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Mozilla Firefox and Firefox ESR
• NETGEAR
• NVIDIA
• OpenSSH
• Progress Software
• QNAP
• Qualcomm
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• Splunk
• Spring Framework
• TP-Link
• Veritas
• WordPress, and
• Zoom

(The story was updated after publication to include additional comments from Check Point.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.