Microsoft has launched patches to handle a complete of 143 security flaws as a part of its month-to-month security updates, two of which have come below energetic exploitation within the wild.
5 out of the 143 flaws are rated Important, 136 are rated Essential, and 4 are rated Reasonable in severity. The fixes are along with 33 vulnerabilities which have been addressed within the Chromium-based Edge browser over the previous month.
The 2 security shortcomings which have come below exploitation are under –
- CVE-2024-38080 (CVSS rating: 7.8) – Home windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2024-38112 (CVSS rating: 7.5) – Home windows MSHTML Platform Spoofing Vulnerability
“Profitable exploitation of this vulnerability requires an attacker to take extra actions previous to exploitation to organize the goal atmosphere,” Microsoft stated of CVE-2024-38112. “An attacker must ship the sufferer a malicious file that the sufferer must execute.”
Test Level security researcher Haifei Li, who has been credited with discovering and reporting the flaw in Could 2024, stated that menace actors are leveraging specially-crafted Home windows Web Shortcut recordsdata (.URL) that, upon clicking, redirects victims to a malicious URL by invoking the retired Web Explorer (IE) browser.
“An extra trick on IE is used to cover the malicious .HTA extension identify,” Li defined. “By opening the URL with IE as an alternative of the fashionable and way more safe Chrome/Edge browser on Home windows, the attacker gained important benefits in exploiting the sufferer’s pc, though the pc is working the fashionable Home windows 10/11 working system.”
“CVE-2024-38080 is an elevation of privilege flaw in Home windows Hyper-V,” Satnam Narang, senior workers analysis engineer at Tenable, stated. “A neighborhood, authenticated attacker may exploit this vulnerability to raise privileges to SYSTEM stage following an preliminary compromise of a focused system.”
Whereas the precise specifics surrounding the abuse of CVE-2024-38080 is at the moment unknown, Narang famous that that is the primary of the 44 Hyper-V flaws to return below exploitation within the wild since 2022.
Two different security flaws patched by Microsoft have been listed as publicly identified on the time of the discharge. This features a side-channel assault referred to as FetchBench (CVE-2024-37985, CVSS rating: 5.9) that would allow an adversary to view heap reminiscence from a privileged course of working on Arm-based methods.
The second publicly disclosed vulnerability in query is CVE-2024-35264 (CVSS rating: 8.1), a distant code execution bug impacting .NET and Visible Studio.
“An attacker may exploit this by closing an http/3 stream whereas the request physique is being processed resulting in a race situation,” Redmond stated in an advisory. “This might end in distant code execution.”
Additionally resolved as a part of Patch Tuesday updates are 37 distant code execution flaws affecting the SQL Server Native Shopper OLE DB Supplier, 20 Safe Boot security characteristic bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability within the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).
“[The SQL Server flaws] particularly have an effect on the OLE DB Supplier, so not solely do SQL Server situations must be up to date, however shopper code working weak variations of the connection driver may even must be addressed,” Rapid7’s Lead Product Supervisor Greg Wiseman stated.
“For instance, an attacker may use social engineering techniques to dupe an authenticated person into making an attempt to hook up with a SQL Server database configured to return malicious knowledge, permitting arbitrary code execution on the shopper.”
Rounding off the lengthy checklist of patches is CVE-2024-38021 (CVSS rating: 8.8), a distant code execution flaw in Microsoft Workplace that, if efficiently exploited, may allow an attacker to realize excessive privileges, together with learn, write, and delete performance.
Morphisec, which reported the flaw to Microsoft in late April 2024, stated the vulnerability doesn’t require any authentication and poses a extreme danger as a result of its zero-click nature.
“Attackers may exploit this vulnerability to realize unauthorized entry, execute arbitrary code, and trigger substantial injury with none person interplay,” Michael Gorelik stated. “The absence of authentication necessities makes it notably harmful, because it opens the door to widespread exploitation.”
The fixes come as Microsoft introduced late final month that it’ll start issuing CVE identifiers for cloud-related security vulnerabilities going ahead in an try to enhance transparency.
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors prior to now few weeks to rectify a number of vulnerabilities, together with —
