Patch Tuesday Clear your Microsoft sysadmin log: Redmond’s July Tuesday patch pack is terrible, with at least two bugs in active service.
Tuesday’s software updates target more than 130 Microsoft CVEs.
The first of the two vulnerabilities with an active exploit — CVE-2024-38080 — is a Windows Hyper-V elevation of privilege flaw with a CVSS rating of 7.8 out of 10, which Microsoft deemed “critical.”
We don’t know how widespread exploitation of this vulnerability is, although Microsoft notes that “a hacker who successfully exploited this vulnerability could gain system privileges.” Also, as Dustin Childs of the Zero Day Initiative pointed out, this exploit will prove to be quite useful for ransomware. If you are using Hyper-V, test and deploy this update.
The second bug reported to have been discovered and exploited by criminals before Redmond released a patch was a Windows MSHTML spoofing platform vulnerability tracked as CVE-2024-38112. MSHTML (aka Trident) is Microsoft’s proprietary browser engine for Internet Explorer, and it received a 7.5 CVSS Severity Score.
It requires user interaction to use. As Redmond explained, “An attacker would have to send the victim a malicious file that the victim would have to execute.” Haifei Li of Check Point Research discovered and reported on the Microsoft flaw.
The result of its exploitation is unclear, although it appears to result in exposing something like information or resources to the wrong person. Given the prevalence of successful social engineering attacks recently – and the fact that Microsoft has already discovered an exploit for this CVE – we’ve seen time and time again that getting users to click on malicious links is pretty darn easy. So fix this before your next bad click triggers CVE-2024-38112.
The first of two CVEs listed as publicly disclosed but not publicly exploited is CVE-2024-35264 – Remote Code Execution Vulnerability in .NET and Visual Studio. To exploit this, an attacker would need to induce a race condition to allow inappropriate data access. But they could use it to achieve remote code execution (RCE).
According to Redmond, “An attacker could exploit this by closing an http/3 stream while the request body is being processed, leading to a race condition.” Microsoft’s own Radek Zikmund discovered this flaw.
The second known but unexploited bug – CVE-2024-37985 – affects Redmond’s Arm-based operating systems and received a 5.9 CVSS score. This is a side channel attack from 2023 called FetchBench that can be abused to leak classified information.
Five critical Microsoft CVEs
Of the remaining Microsoft CVEs, five are of critical severity, and three of them—CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077—are 9.8 rated RCE bugs in the Remote Desktop Licensing Service on Windows. Redmond described all three as “less likely exploitation.”
Childs of the Zero Day Initiative’s advice regarding CVE-2024-38077 is that “exploiting this should be easy, as any unauthorized user can execute their code simply by sending a malicious message to an affected server.”
He recommended making sure these servers are not accessible over the Internet. “If several of these servers are connected to the Internet, I would expect an exploit soon,” Childs warned. “Now is also a good time to check your servers to make sure they aren’t running unnecessary services.”
Microsoft’s other two critical bugs include CVE-2024-38060, an RCE rated 8.8 in the Windows Imaging Component that can be exploited by any authenticated user uploading a malicious TIFF file to a server.
Also of note is CVE-2024-38023, a 7.2 flaw in Microsoft SharePoint Server that can also lead to RCE. “An authenticated attacker with site owner permissions could use the vulnerability to inject arbitrary code and execute that code in the context of SharePoint Server,” Redmond explained.
Adobe brightens
Adobe’s monthly patch dump covers just three products and seven CVEs—none of which appear to have been discovered and exploited by criminals.
That’s the good news. The bad news is that six of the seven critical errors can lead to arbitrary code execution.
Today’s updates address one critical vulnerability – CVE-2024-34123 – in Adobe Premiere Pro, and four other critical vulnerabilities – CVE-2024-20781, CVE-2024-20782, CVE-2024-20783, CVE-2024-20785 – in InDesign . The patches for Adobe Bridge fix two vulnerabilities, one of which (CVE-2024-34139) is rated critical and the other (CVE-2024-34140) is important because it could allow a memory leak.
SAP Security Notes
SAP has released 18 new and updated fixes, two of which are high priority fixes.
Security Note #3483344 is the most critical of the bunch. This is a missing permission check vulnerability in SAP Product Design Cost Estimating (PDCE) that earned a 7.7 CVSS score.
“A remotely activated function module in SAP PDCE allows a remote attacker to read shared data from tables and thus exposes system confidentiality to a high risk,” warned SAP Onapsis Research Labs security researcher Thomas Fritsch. “The patch disables the vulnerable function module.”
Fortinet fixes flaws
Fortinet fixed a cross-site scripting vulnerability tracked as CVE-2024-26006 in FortiOS and the web SSL VPN user interface of FortiProxy. This “may allow a remote, unauthorized attacker to perform a Cross-Site Scripting attack by socially engineering the target user to tag a malicious samba server, then opens the tag,” the vendor warned.
The infosec tool also fixes CVE-2024-26015 in the IP address validation feature of FortiOS and FortiProxy. This is a bug that can be abused by an unauthorized attacker to bypass the IP block list via specially crafted requests.
Citrix is joining the party
Citrix addresses CVE-2024-6151 and CVE-2024-6286—both 8.5-rated privilege escalation vulnerabilities in the Windows Virtual Delivery Agent and the Citrix Workspace app—that could allow a low-privileged user to gain system privileges .
Citrix Workspace app is a client for virtual desktops and apps and is deployed on many not-so-strictly managed endpoints, making this a bug that deserves your attention.
And… Android
Ending the patch party in July, Google released fixes for 27 CVEs in Android. The worst of the bunch is CVE-2024-31320, a critical security vulnerability in the Framework component that could lead to local privilege escalation without requiring additional privileges to execute. ®
