Microsoft has patched two zero-day bugs under active exploitation and a further three that were publicly disclosed in this month’s Patch Tuesday update round.
CVE-2024-43572 is a remote code execution (RCE) vulnerability in the Microsoft Management Console with a CVSS score of 7.8.
It’s unclear how it has been exploited in the wild, but threat actors could pair it with phishing, privilege escalation or network propagation attacks to achieve data exfiltration, lateral movement, system compromise and deployment of backdoors, according to Action1 president, Mike Walters.
“Given the widespread use of Windows-based systems in corporate and government settings, CVE-2024-43572 poses a considerable risk,” he warned.
“It’s estimated that millions of endpoints, particularly those in organizations using MMC for administrative tasks and policy enforcement, are vulnerable – especially those that have not installed the necessary security update to block execution from untrusted MSC files. This threat is especially acute in environments with less technically aware end-users or extensive digital footprints.”
Read more on Patch Tuesday: Microsoft Fixes Four Zero-Days in July Patch Tuesday
A second exploited zero-day, CVE-2024-43573, is a Windows MSHTML platform spoofing vulnerability, which enables threat actors to trick users into believing they are visiting a legitimate site in order to harvest information or inject malicious payloads.
Although it only has a CVSS score of 6.5, it could lead to a “significant” risk of phishing or data compromise, according to Walters.
“Given the extensive use of MSHTML within Windows environments and its integration into various web-centric applications, a significant number of enterprises, especially those in sectors like finance and e-commerce that rely heavily on web interactions, are potentially at risk,” he added.
“Organizations with less robust perimeter defenses are particularly vulnerable to these threats.”
Three More Zero-Days Not Yet Exploited
The publicly disclosed zero-days patched yesterday which have yet to be exploited are:
- CVE-2024-6197: An open source Curl RCE vulnerability, which has a CVSS score of 8.8 and could enable man-in-the-middle attacks
- CVE-2024-43583: A Winlogon elevation-of-privilege bug, which could grant a threat actor admin rights to access a target network
- CVE-2024-20659: A Windows Hyper-V security feature bypass vulnerability, which could allow attackers to compromise the hypervisor and kernel, although they’d need physical access to a device and to reboot it
In total, Microsoft addressed 118 CVEs yesterday, the third-highest number in the past year.
Image credit: CHERRY.JUICE / Shutterstock.com