Microsoft fixes two zero-days exploited by attackers (CVE-2024-38080, CVE-2024-38112)
For July 2024 Patch Tuesday, Microsoft has released security updates and patches that fix 142 CVEs, including two exploited zero-days (CVE-2024-38080, CVE-2024-38112) in Windows Hyper-V and Windows MSHTML Platform (respectively).
Zero-days exploited in the wild (CVE-2024-38080, CVE-2024-38112)
CVE-2024-38080 is a integer overflow or wraparound bug affecting Hyper-V, Windows’ native hypervisor for creating virtual machines on systems running Windows and Windows Server. Successful exploitation may allow attackers to gain SYSTEM privileges on the host machine, but initial local access is required to exploit the flaw, according to Microsoft.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, advises testing and deploying this update quickly on systems running Hyper-V. “While not specifically stated by Microsoft, let’s assume the worst-case scenario and say that an authorized user could be on a guest OS. Microsoft also does not state how widespread the exploitation is, but this exploit would prove quite useful for ransomware.”
CVE-2024-38112 is a spoofing vulnerability in Windows MSHTML Platform that can be triggered with a specially crafted HTML file.
“This vulnerability resides in the MSHTML (Trident) rendering engine, which is pivotal for rendering web content in Internet Explorer and other applications via embedded web browser controls,” Mike Walters, VP of Vulnerability and Threat Research at Action1, explained.
“The primary flaw stems from inadequate handling and exposure of resources, which could deceive users into believing that malicious content originates from a trusted source. This is due to insufficient validation and enforcement of resource access restrictions, leading to unauthorized exposure within the MSHTML library. Attackers could employ phishing tactics, sending emails with malicious attachments or links leading to spoofed websites. Upon interaction, malicious content could be rendered in a trusted context, misleading users to divulge sensitive information like login credentials or to install malware.”
Other vulnerabilities of note
Two CVEs fixed this month have been publicly disclosed prior to the release of the patches: CVE-2024-35264, a remote code execution flaw in .NET and Visual Studio, and CVE-2024-37985, an information disclosure flaw affecting Windows 11 on ARM64-based systems.
Among the critical vulnerabilities fixed are three (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077) affecting the Windows Remote Desktop Licensing Service. “An attacker could send a specially crafted packet to a server set up as a Remote Desktop Licensing server, which will cause remote code execution,” Microsoft says.
Patches are available, but risk of exploitation can also be temporarily lowered by disabling the service if is not required.
“Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Childs noted.
“If a bunch of these servers are Internet-connected, I would expect exploitation soon. Now is also a good time to audit your servers to ensure they aren’t running any unnecessary services.”
Tom Bowyer, Director IT Security at Automox says that school districts, government infrastructure, and SLED-type Windows environments are particularly vulnerable due to their widespread use of Remote Desktop services. “Ensuring these systems are patched promptly will help protect against potential attacks that could disrupt critical operations.”
Microsoft has also patched many vulnerabilities that could be used for lateral movement (once initial access is secured):
- 38 CVEs in SQL Server Native Client OLE DB allowing RCE if an authenticated user is tricked into connecting to a malicious SQL server database via a connection driver
- CVE-2024-38060, a bug in the Microsoft Windows Codecs Library which may allow an authenticated attacker to achieve RCE by upload a specially crafted TIFF image to an affected system.