Patch Tuesday has revealed 139 vulnerabilities
This July 2024 Patch Tuesday, Microsoft is addressing 139 vulnerabilities, which is on the high side in terms of typical CVE counts, and has also republished details for 4 CVEs issued by other vendors that affect Microsoft products. Microsoft also has evidence of in-the-wild exploitation for two of the vulnerabilities published today.
At time of writing, none of the vulnerabilities patched today are listed in CISA's Known Exploited Vulnerabilities catalogue, though we can expect CVE-2024-38080 and CVE-2024-38112 to appear there in short order. Microsoft is also patching five critical remote code execution (RCE) vulnerabilities today.
Windows Hyper-V: zero-day EoP
CVE-2024-38080 is an elevation of privilege (EoP) vulnerability affecting Microsoft's Hyper-V virtualisation functionality. Successful exploitation will give an attacker SYSTEM-level privileges. Only more recent editions of Windows are affected; Windows 11 since version 21H2 and Windows Server 2022 (including Server Core).
Windows MSHTML Platform: zero-day Spoofing
The other vulnerability seen exploited in the wild this month is CVE-2024-38112, a Spoofing vulnerability affecting Microsoft's MSHTML browser engine, which can be found on all versions of Windows, including Server editions. User interaction is required for exploitation – for example, a threat actor would need to send the victim a malicious file and convince them to open it. Microsoft is characteristically cagey about what exactly can be spoofed here, though they do indicate that the associated Common Weakness Enumeration (CWE) is CWE-668: Exposure of Resource to Wrong Sphere, which is defined as providing unintended actors with inappropriate access to a resource.
SharePoint: critical post-auth RCE
Similar to a vulnerability seen in May, CVE-2024-38023 is a SharePoint vulnerability that could allow an authenticated attacker with Site Owner permissions or higher to upload a specially crafted file to a SharePoint Server, then craft malicious API requests to trigger deserialisation of the file's parameters, thus enabling them to achieve remote code execution in the context of the SharePoint Server. The CVSS base score of 7.2 reflects the requirement of Site Owner privileges or higher to exploit the vulnerability.
Windows Imaging: critical RCE
All supported versions of Windows (and almost certainly unsupported versions as well) are vulnerable to CVE-2024-38060, a flaw in the Windows Imaging Component related to TIFF (Tagged Image File Format) image processing that could allow an attacker to execute arbitrary code on a system. The example scenario Microsoft provides is simply of an authenticated attacker uploading a specially crafted TIFF image to a server in order to exploit this.
Remote Desktop Licensing Service: multiple critical RCEs
Three critical CVEs related to the Windows Remote Desktop Licensing Service were patched this month. CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077. All three of these carry a CVSS 3.1 base score of 9.8 – if you rely on the Remote Desktop licensing service, best get patching immediately. As a mitigation, consider disabling the service entirely until there is an opportunity to apply the update.
SQL Server
Microsoft has patched a host of CVEs affecting SQL Server, many with a CVSS 3.1 base score of 8.8 and allowing RCE. These specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed. For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client.
Lifecycle update
Also in SQL Server news this month, Microsoft SQL Server 2014 moves past the end of extended support. From this point onward, Microsoft only guarantees to provide SQL Server 2014 security updates to customers who pay for the Extended Security Updates program.