Sysadmins have a busy time ahead this month after Microsoft issued updates for over 140 CVEs, including four zero-day vulnerabilities.
The zero-days are as follows:
- CVE-2024-38080 is an elevation of privilege (EoP) vulnerability affecting Microsoft Hyper-V virtualization. It has been actively exploited in the wild to give attackers system-level privileges
- CVE-2024-38112 is a spoofing vulnerability affecting Microsoft’s MSHTML browser engine impacting all versions of Windows. User interaction is required for exploitation, which has been observed in the wild
- CVE-2024-35264 is a publicly disclosed remote code execution (RCE) vulnerability in .NET and Visual Studio. An attacker could exploit the bug by “closing an http/3 stream while the request body is being processed leading to a race condition” – leading to RCE, Microsoft explained
- CVE-2024-37985 is described as "Systematic Identification and Characterization of Proprietary Prefetchers." An attacker who successfully exploits the bug could view heap memory from a privileged process running on the server, although this requires “additional actions prior to exploitation to prepare the target environment"
RCE Vulnerabilities
Microsoft patched five critical RCE vulnerabilities in this July's Patch Tuesday.
First, a SharePoint vulnerability CVE-2024-38023 has been identified. "[It] could allow an authenticated attacker with site owner permissions or higher to upload a specially crafted file to a SharePoint Server, then craft malicious API requests to trigger deserialisation of the file's parameters, thus enabling them to achieve remote code execution in the context of the SharePoint server,” explained Rapid7 product manager, Greg Wiseman.
Next, CVE-2024-38060 is a bug in the Windows Imaging Component related to TIFF (Tagged Image File Format) image processing, which could enable execution of arbitrary code on a targeted system.
The final three RCE vulnerabilities – CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077 – relate to the Windows Remote Desktop Licensing Service, and have CVSS base score of 9.8.
“If you rely on the Remote Desktop licensing service, best get patching immediately,” urged Wiseman. “As a mitigation, consider disabling the service entirely until there is an opportunity to apply the update.”
Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days in May Patch Tuesday.