Microsoft has released patches to address 143 security flaws as part of its monthly updates, with two of these vulnerabilities currently being exploited in the wild.
Of the 143 flaws, five are rated Critical, 136 are Important, and four are Moderate in severity. These fixes come in addition to 33 vulnerabilities that have been resolved in the Chromium-based Edge browser over the past month.
The two actively exploited vulnerabilities are:
- CVE-2024-38080 (CVSS score: 7.8) – Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2024-38112 (CVSS score: 7.5) – Windows MSHTML Platform Spoofing Vulnerability
Regarding CVE-2024-38112, Microsoft explained, “Exploiting this vulnerability requires an attacker to perform additional actions to set up the target environment. An attacker would need to send a malicious file that the victim must execute.”
Check Point security researcher Haifei Li, who discovered and reported the flaw in May 2024, noted that threat actors are using specially-crafted Windows Internet Shortcut files (.URL). Clicking these files redirects victims to a malicious URL via the retired Internet Explorer (IE) browser.
“An additional trick on IE is used to hide the malicious .HTA extension name,” Li explained. “By opening the URL with IE instead of the more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, even on modern Windows 10/11 systems.”
Satnam Narang, senior staff research engineer at Tenable, described CVE-2024-38080 as an elevation of privilege flaw in Windows Hyper-V. “A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial system compromise,” Narang said.
Though the specifics of exploiting CVE-2024-38080 are currently unknown, Narang noted it is the first of the 44 Hyper-V flaws to be exploited in the wild since 2022.
Two other vulnerabilities patched by Microsoft were publicly known at the time of the release. One is a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9), which could allow an adversary to view heap memory from a privileged process on Arm-based systems.
The second publicly disclosed vulnerability is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug affecting .NET and Visual Studio. “An attacker could exploit this by closing an HTTP/3 stream while the request body is processed, leading to a race condition,” Microsoft said in an advisory. “This could result in remote code execution.”
Additionally, the Patch Tuesday updates addressed 37 remote code execution flaws in the SQL Server Native Client OLE DB Provider, 20 Secure Boot security bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).
“[The SQL Server flaws] specifically affect the OLE DB Provider, so not only do SQL Server instances need updating, but client code running vulnerable versions of the connection driver will also need addressing,” said Rapid7’s Lead Product Manager Greg Wiseman.
“For example, an attacker could use social engineering tactics to trick an authenticated user into connecting to a malicious SQL Server database, allowing arbitrary code execution on the client.”
Rounding off the patch list is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office. If exploited, it could allow an attacker to gain high privileges, including read, write, and delete capabilities.
Morphisec, which reported the flaw to Microsoft in late April 2024, highlighted the zero-click nature of the vulnerability. “Attackers could exploit this to gain unauthorized access, execute arbitrary code, and cause substantial damage without user interaction,” Michael Gorelik said. “The lack of authentication requirements makes it particularly dangerous, opening the door to widespread exploitation.”
These updates follow Microsoft’s announcement last month that it will begin issuing CVE identifiers for cloud-related security vulnerabilities to improve transparency.