Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser

The Hacker News
#sql#vulnerability#web#android#windows#apple#google#microsoft#amazon#ubuntu#linux#debian#cisco#red_hat#git#oracle#wordpress#rce#vmware#aws#lenovo#amd#samsung#auth#ssh#ibm#dell#mongo#chrome#firefox#sap#The Hacker News

Endpoint Security / Vulnerability

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild.

Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.

The two security shortcomings that have come under exploitation are below -

  • CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability
  • CVE-2024-38112 (CVSS score: 7.5) - Windows MSHTML Platform Spoofing Vulnerability

“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment,” Microsoft said of CVE-2024-38112. “An attacker would have to send the victim a malicious file that the victim would have to execute.”

Check Point security researcher Haifei Li, who has been credited with discovering and reporting the flaw in May 2024, said that threat actors are leveraging specially-crafted Windows Internet Shortcut files (.URL) that, upon clicking, redirects victims to a malicious URL by invoking the retired Internet Explorer (IE) browser.

“An additional trick on IE is used to hide the malicious .HTA extension name,” Li explained. “By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

“CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V,” Satnam Narang, senior staff research engineer at Tenable, said. “A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system.”

While the exact specifics surrounding the abuse of CVE-2024-38080 is currently unknown, Narang noted that this is the first of the 44 Hyper-V flaws to come under exploitation in the wild since 2022.

Two other security flaws patched by Microsoft have been listed as publicly known at the time of the release. This includes a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could enable an adversary to view heap memory from a privileged process running on Arm-based systems.

The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug impacting .NET and Visual Studio.

“An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition,” Redmond said in an advisory. “This could result in remote code execution.”

Also resolved as part of Patch Tuesday updates are 37 remote code execution flaws affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot security feature bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).

"[The SQL Server flaws] specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed," Rapid7’s Lead Product Manager Greg Wiseman said.

“For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client.”

Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality.

Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a severe risk due to its zero-click nature.

“Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction,” Michael Gorelik said. “The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”

The fixes come as Microsoft announced late last month that it will begin issuing CVE identifiers for cloud-related security vulnerabilities going forward in an attempt to improve transparency.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors in the past few weeks to rectify several vulnerabilities, including —

  • Adobe
  • Amazon Web Services
  • AMD
  • Apple
  • Arm
  • Broadcom (including VMware)
  • Cisco
  • Citrix
  • CODESYS
  • D-Link
  • Dell
  • Drupal
  • Emerson
  • F5
  • Fortinet
  • Fortra FileCatalyst Workflow
  • GitLab
  • Google Android
  • Google Chrome
  • Google Cloud
  • Google Pixel
  • Google Wear OS
  • Hitachi Energy
  • HP
  • HP Enterprise
  • IBM
  • Ivanti
  • Jenkins
  • Juniper Networks
  • Lenovo
  • Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
  • MediaTek
  • Mitsubishi Electric
  • MongoDB
  • Mozilla Firefox and Firefox ESR
  • NETGEAR
  • NVIDIA
  • OpenSSH
  • Progress Software
  • QNAP
  • Qualcomm
  • Rockwell Automation
  • Samsung
  • SAP
  • Schneider Electric
  • Siemens
  • Splunk
  • Spring Framework
  • TP-Link
  • Veritas
  • WordPress, and
  • Zoom

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Red Hat Security Advisory 2024-9547-03

Red Hat Security Advisory 2024-9547-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

Red Hat Security Advisory 2024-8860-03

Red Hat Security Advisory 2024-8860-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-8577-03

Red Hat Security Advisory 2024-8577-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Announcing the BlueHat 2024 Sessions

34 sessions from 54 presenters representing 20 organizations! We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”. Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

5 Zero-Days in Microsoft's October Update to Patch Immediately

Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Ubuntu Security Notice USN-7055-1

Ubuntu Security Notice 7055-1 - Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl discovered that FreeRADIUS incorrectly authenticated certain responses. An attacker able to intercept communications between a RADIUS client and server could possibly use this issue to forge responses, bypass authentication, and access network devices and services. This update introduces new configuration options called "limit_proxy_state" and "require_message_authenticator" that default to "auto" but should be set to "yes" once all RADIUS devices have been upgraded on a network.

'Void Banshee' Exploits Second Microsoft Zero-Day

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Microsoft Discloses 4 Zero-Days in September Update

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Red Hat Security Advisory 2024-4936-03

Red Hat Security Advisory 2024-4936-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-4935-03

Red Hat Security Advisory 2024-4935-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-4913-03

Red Hat Security Advisory 2024-4913-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Security Advisory 2024-4912-03

Red Hat Security Advisory 2024-4912-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-4911-03

Red Hat Security Advisory 2024-4911-03 - An update for freeradius is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

Red Hat Security Advisory 2024-4829-03

Red Hat Security Advisory 2024-4829-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-4828-03

Red Hat Security Advisory 2024-4828-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Security Advisory 2024-4826-03

Red Hat Security Advisory 2024-4826-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

It's best to just assume you’ve been involved in a data breach somehow

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass. Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover. "Missing authentication

Ubuntu Security Notice USN-6889-1

Ubuntu Security Notice 6889-1 - It was discovered that .NET did not properly handle object deserialization. An attacker could possibly use this issue to cause a denial of service. Radek Zikmund discovered that .NET did not properly manage memory. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. It was discovered that .NET did not properly parse X.509 Content and ObjectIdentifiers. An attacker could possibly use this issue to cause a denial of service.

Red Hat Security Advisory 2024-4451-03

Red Hat Security Advisory 2024-4451-03 - An update for dotnet8.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-4450-03

Red Hat Security Advisory 2024-4450-03 - An update for dotnet8.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

GHSA-chfc-9w6m-75rf: Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability

# Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists in ASP.NET Core 8 where Data Corruption in Kestrel HTTP/3 can result in remote code execution. Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3, please upgrade to .NET 8.0.7 ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/314 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.6 or earlier. ## <a name="affected-packages"></a...

Microsoft Patch Tuesday, July 2024 Edition

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.

Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.