Security operations · 2 MIN READ · MATT JASTRAM · JUL 10, 2024

This Patch Tuesday includes 143 published CVEs from Microsoft.

The July 2024 edition of Patch Tuesday is live, and our team reviewed the released patches (so you don’t have to). Here are our top takeaways.

Microsoft

Microsoft’s July release was massive at 143 patches—a big jump from 53 in June! Regarding exploit risk, this month’s patches address a few vulnerabilities that are already known to be exploited by attackers. Even as we wrote this, the CISA exploit database sent notifications for:

• CVE-2024-38112 Spoofing Vulnerability: This vulnerability leverages a cleverly crafted file to spoof file extensions and launch Internet Explorer (though it’s now a legacy browser, Internet Explorer is still part of the Windows Operating system). Internet Explorer was retired in favor of more secure browsers, but this attack allows an attacker to launch Internet Explorer and potentially execute other code. Attackers deliver the file via phishing and, according to Checkpoint, this vulnerability has been known and used some in the last year. If you want to learn more about it, we recommend Checkpoint’s article.
• CVE-2024-38080 Elevation-of-Privilege (EoP): A second zero day allows an attacker to reach “system” level privileges by exploiting a Hyper-V vulnerability. It’s best to ensure that access to servers running Hyper-V is restricted: they should not be directly exposed to the internet and should have access to the systems restricted even within the network. If attackers gain access to this system and leverage this vulnerability, all virtual systems hosted on the server are at serious risk. Patching this vulnerability adds another barrier to attackers and potentially provides more time to detect activity within your environment.

Out of the 143 total vulnerabilities, here are others that we found to be noteworthy:

• CVE-2024-38021 Microsoft Office Remote Code Execution Vulnerability: Attackers can leverage this Outlook vulnerability to execute arbitrary code, potentially leading to a data breach. The Microsoft ‘important’ designation continues to be questioned by the original vulnerability reporter (see RCE Vulnerability Uncovered in Microsoft Outlook), and with good reason: it appears some situations exist where the vulnerability doesn’t require interaction from users. We recommend patching as soon as you are able.
• CVE-2024-35264 .NET and Visual Studio Remote Code Execution Vulnerability: Yet another zero day, Microsoft states, “An attacker could exploit this [vulnerability] by closing an http/3 stream while the request body is being processed leading to a race condition,” thus leading to RCE. Microsoft has multiple Visual Studio versions that require updates—we recommend taking action (i.e., updating).
• CVE-2024-38074, CVE-2024-38076, & CVE-2024-38077 Windows Remote Desktop Licensing Service (WRDLS) Remote Code Execution Vulnerabilities: Imagine creative attackers developing a well-crafted packet to a remote desktop licensing server, allowing them to successfully achieve RCE on a service you forgot was even enabled. We recommend patching it, and if the WRDLS service is no longer needed, disable.
• CVE-2024-37985 Systematic Identification and Characterization of Proprietary Prefetchers: Intel assigned this CVE to impacted ARM-based operating systems. A successful threat actor could view heap memory from a privileged process running on the server, potentially exposing sensitive information in memory. Anytime a third party like Intel takes measures to fix a vulnerability, take note and take advantage of the Windows updates Microsoft posted.

That’s it for this month. If you have any questions about these specific vulnerabilities (and others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.