Getty Images
Microsoft fixes 2 zero-days in massive July Patch Tuesday
Microsoft disclosed and patched a whopping 142 vulnerabilities in a busy Patch Tuesday that included two zero-day flaws under active exploitation in the wild.
Microsoft addressed 142 flaws in a busy July Patch Tuesday, including two zero-day vulnerabilities that are under active exploitation.
The zero-day vulnerabilities include CVE-2024-38080, a privilege escalation flaw in Microsoft's Hyper-V virtualization software that affects Windows 11 and Windows Server 2022. The vulnerability received a 7.8 CVSS score and was rated as important. Microsoft's advisory for CVE-2024-38080 said exploitation has been detected, though the scope of activity is unclear. The advisory also said the flaw was reported to Microsoft by an anonymous individual.
The second zero-day bug patched was CVE-2024-38112, a spoofing vulnerability in the Windows MSHTML platform. The flaw received a 7.5 CVSS score and was also rated important. Exploitation of the flaw enables an attacker to send malicious files through the network, though Microsoft noted in the advisory that it requires "additional actions prior to exploitation to prepare the target environment."
"Attackers can remotely exploit this flaw if they're somewhere on your network already, which is not a hard thing to do," Chris Goettl, vice president of security product management at Ivanti, told TechTarget Editorial. "This affects all Windows OS versions, even as far back as Windows Server 2008."
Microsoft credited Haifei Li of Check Point Software Technologies with discovering and reporting CVE-2024-38112. In a post on X, formerly Twitter, Li expressed frustration with Microsoft, saying the software giant disclosed and patched the flaw earlier than expected and without notifying Check Point of the schedule change.
Additional vulnerabilities
Microsoft also patched two other vulnerabilities it categorized as zero-days because the flaws were made public -- though not exploited in the wild -- before their official disclosure in this month's Patch Tuesday.
The first was CVE-2024-35264, a remote code execution vulnerability affecting .NET version 8.0 and Visual Studio 2022. The RCE flaw received an 8.1 CVSS score and was rated as important. Microsoft's advisory said successful exploitation of the flaw requires the attacker to win a race condition. The company did not say who first publicized CVE-2024-35264 or where it was made public. However, Microsoft employee Radek Zikmund was credited with discovering the flaw.
The second disclosed zero-day vulnerability was CVE-2024-37985, an information disclosure flaw in Windows 11 versions for Arm64-based systems; it was given a 5.9 CVSS score and also rated as important. According to Microsoft, an attacker could exploit the vulnerability to view heap memory from privileged processes on a targeted server.
The attack complexity for CVE-2024-37985 is considered high, and exploitation is "less likely," according to Microsoft's advisory. However, Goettl said organizations should prioritize the vulnerability.
"A privileged process is one that's going to have a lot more sensitive information," Goettl said. "Chances of exploitation are lower, but because it's been disclosed, it gives threat actors a bit more of an idea of where to look for this [flaw]. The risk is higher than, say, even some critical flaws that don't have a disclosure related to them."
In addition to the two disclosure-related zero-days, Microsoft patched CVE-2024-38060, an RCE flaw affecting the Windows Imaging Component, which is a framework for processing images. The vulnerability received an 8.8 CVSS score and was rated critical. An attacker could exploit the flaw by uploading a malicious TIFF file to a targeted server.
The massive Patch Tuesday included 38 RCE vulnerabilities in SQL Server alone. Goettl said 142 vulnerabilities is definitely "on the high side," but users shouldn't be alarmed.
"When this much volume comes out, you typically want to hit the big ones quickly," he said. "With the OS and SQL Server updates this month, you take two huge chunks out of that 142."
Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.