By Satnam Narang, Sr. Staff Research Engineer, Tenable
Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild. Remote Code Execution (RCE) vulnerabilities accounted for 42.8% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) and Security Feature Bypass vulnerabilities at 17.4%.
“CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V. A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system. This flaw was exploited in the wild, though we don’t know specifics surrounding the in-the-wild exploitation. However, like most elevation of privilege flaws, we know that vulnerabilities like these that show up in Patch Tuesday releases as zero-days are linked to some type of targeted attack typically conducted by an advanced persistent threat (APT) group. Since 2022, there have been 44 vulnerabilities in Windows Hyper-V, though this is the first one to have been exploited in the wild to our knowledge.
“CVE-2024-38112 is a spoofing vulnerability in the Windows MSHTML Platform that could be exploited by an unauthenticated, remote attacker if they convince a potential target to open a malicious file. However, Microsoft notes that the complexity for this vulnerability is high, which means that an attacker would need to take additional steps beforehand to create the ideal conditions for successful exploitation. Despite this requirement, this flaw has reportedly been exploited in the wild, though no details were available at the time of the Patch Tuesday release.
“Another flaw that stood out includes a Microsoft Office remote code execution flaw (CVE-2024-38021). This vulnerability could be exploited by attackers to leak New Technology LAN Manager (NTLM) credentials. One of the more successful attack campaigns from 2023 used CVE-2023-23397, an elevation of privilege bug in Microsoft Outlook that could also leak NTLM hashes. However, CVE-2024-38021 is limited by the fact that the Preview Pane is not an attack vector, which means that exploitation would not occur just by simply previewing the file, whereas this was the case with CVE-2023-23397.”