Microsoft's July 2024 Patch Tuesday fixes 142 vulnerabilities, experts weigh in

Microsoft has rolled out its latest raft of security updates, tackling over 142 vulnerabilities, including two zero-day vulnerabilities that have been actively exploited and two publicly disclosed others. The July 2024 Patch Tuesday update addresses five critical vulnerabilities, all classified in the remote code execution (RCE) category. According to industry experts, these updates cover various software components, including Microsoft SharePoint Server, Windows Imaging Component, and the Windows Remote Desktop Licensing Service.

Tom Marsland, Vice President of Technology at Cloud Range and Board Chairman of VetSec, highlighted the significance of these fixes. "This month's patch Tuesday fixed five critical vulnerabilities, all of them being the more dangerous category of 'remote code execution' vulnerabilities," Marsland stated. He elaborated that these security flaws exist not only in Microsoft SharePoint Server and Windows Imaging Component but also within the Windows Remote Desktop Licensing Service, making them particularly concerning.

Marsland provided specific insights into the potential risks of these vulnerabilities, especially in internal corporate environments. "In SharePoint Server, a user with Site Owner privileges could upload a file allowing them to execute the server's code. This could be a very critical vector in the area of Insider Threats, where users with relatively low levels of access, such as a corporate intranet web editor, could gain system-level access on a network infrastructure server," he warned. He also advised disabling the Remote Desktop Licensing Service if it is not required in organisational environments and urged prompt updates to mitigate risks.

Adding to the insights, Satnam Narang, Senior Staff Research Engineer at Tenable, provided details on the zero-day vulnerabilities addressed in this month's patch. "Microsoft patched two zero-day vulnerabilities that were exploited in the wild," he confirmed. One of these is CVE-2024-38080, an elevation of privilege flaw in Windows Hyper-V. "A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level, following an initial compromise of a targeted system," Narang explained. He noted that, although specific details of the exploitation are not known, vulnerabilities such as this are often linked to targeted attacks conducted by advanced persistent threat (APT) groups.

Narang also highlighted the other zero-day vulnerability, CVE-2024-38112, a spoofing flaw in the Windows MSHTML platform. "This could be exploited by an unauthenticated, remote attacker if they convince a potential target to open a malicious file," said Narang. Despite its high complexity, this flaw has reportedly been exploited in the wild, though no further details were available at the time of the update's release.

He also highlighted a notable remote code execution flaw in Microsoft Office, CVE-2024-38021. This vulnerability could allow attackers to leak New Technology LAN Manager (NTLM) credentials. Narang drew parallels with a previous vulnerability, CVE-2023-23397, which was also leveraged to leak NTLM hashes. However, he pointed out a critical difference in the exploitation vectors, stating, "CVE-2024-38021 is limited by the fact that the Preview Pane is not an attack vector, meaning exploitation would not occur just by simply previewing the file, unlike its predecessor."

The July 2024 Patch Tuesday release has drawn attention from the cybersecurity community due to the breadth and severity of the vulnerabilities addressed. Marsland and Narang emphasised the urgency of applying these updates to shield against potential exploits. As cybersecurity threats continue to evolve, timely and comprehensive patching remains an essential practice for safeguarding organisational and personal data.