Microsoft Patch Tuesday, July 2024 Version – Krebs on Safety – Go Well being Professional

Microsoft Corp. at this time issued software program updates to plug at the least 139 safety holes in numerous flavors of Home windows and different Microsoft merchandise. Redmond says attackers are already exploiting at the least two of the vulnerabilities in lively assaults in opposition to Home windows customers.

The primary Microsoft zero-day this month is CVE-2024-38080, a bug within the Home windows Hyper-V element that impacts Home windows 11 and Home windows Server 2022 methods. CVE-2024-38080 permits an attacker to extend their account privileges on a Home windows machine. Though Microsoft says this flaw is being exploited, it has provided scant particulars about its exploitation.

The opposite zero-day is CVE-2024-38112, which is a weak point in MSHTML, the proprietary engine of Microsoft’s Web Explorer internet browser. Kevin Breen, senior director of risk analysis at Immersive Labs, stated exploitation of CVE-2024-38112 doubtless requires using an “assault chain” of exploits or programmatic adjustments on the goal host, a la Microsoft’s description: “Profitable exploitation of this vulnerability requires an attacker to take extra actions previous to exploitation to organize the goal setting.”

“Regardless of the dearth of particulars given within the preliminary advisory, this vulnerability impacts all hosts from Home windows Server 2008 R2 onwards, together with shoppers,” Breen stated. “Because of lively exploitation within the wild this one ought to be prioritized for patching.”

Satnam Narang, senior workers analysis engineer at Tenable, referred to as particular consideration to CVE-2024-38021, a distant code execution flaw in Microsoft Workplace. Assaults on this weak point would result in the disclosure of NTLM hashes, which may very well be leveraged as a part of an NTLM relay or “go the hash” assault, which lets an attacker masquerade as a reliable person with out ever having to log in.

“One of many extra profitable assault campaigns from 2023 used CVE-2023-23397, an elevation of privilege bug in Microsoft Outlook that would additionally leak NTLM hashes,” Narang stated. “Nevertheless, CVE-2024-38021 is restricted by the truth that the Preview Pane is just not an assault vector, which implies that exploitation wouldn’t happen simply by merely previewing the file.”

The safety agency Morphisec, credited with reporting CVE-2024-38021 to Microsoft, stated it respectfully disagrees with Microsoft’s “vital” severity ranking, arguing the Workplace flaw deserves a extra dire “important” ranking given how simple it’s for attackers to use.

“Their evaluation differentiates between trusted and untrusted senders, noting that whereas the vulnerability is zero-click for trusted senders, it requires one click on person interplay for untrusted senders,” Morphisec’s Michael Gorelik stated in a weblog publish about their discovery. “This reassessment is essential to mirror the true threat and guarantee enough consideration and sources are allotted for mitigation.”

In final month’s Patch Tuesday, Microsoft mounted a flaw in its Home windows WiFi driver that attackers may use to put in malicious software program simply by sending a weak Home windows host a specifically crafted information packet over a neighborhood community. Jason Kikta at Automox stated this month’s CVE-2024-38053 — a safety weak point in Home windows Layer Two Bridge Community — is one other native community “ping-of-death” vulnerability that ought to be a precedence for street warriors to patch.

“This requires shut entry to a goal,” Kikta stated. “Whereas that precludes a ransomware actor in Russia, it’s one thing that’s exterior of most present risk fashions. This kind of exploit works in locations like shared workplace environments, motels, conference facilities, and anyplace else the place unknown computer systems is likely to be utilizing the identical bodily hyperlink as you.”

Automox additionally highlighted three vulnerabilities in Home windows Distant Desktop a service that allocates Consumer Entry Licenses (CALs) when a consumer connects to a distant desktop host (CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076). All three bugs have been assigned a CVSS rating of 9.8 (out of 10) and point out {that a} malicious packet may set off the vulnerability.

Tyler Reguly at Forta famous that at this time marks the Finish of Assist date for SQL Server 2014, a platform that in response to Shodan nonetheless has ~110,000 cases publicly accessible. On prime of that, greater than 1 / 4 of all vulnerabilities Microsoft mounted this month are in SQL server.

“Plenty of firms don’t replace rapidly, however this will go away them scrambling to replace these environments to supported variations of MS-SQL,” Reguly stated.

It’s a good suggestion for Home windows end-users to remain present with safety updates from Microsoft, which might rapidly pile up in any other case. That doesn’t imply you must set up them on Patch Tuesday. Certainly, ready a day or three earlier than updating is a sane response, on condition that typically updates go awry and often inside just a few days Microsoft has mounted any points with its patches. It’s additionally sensible to again up your information and/or picture your Home windows drive earlier than making use of new updates.

For a extra detailed breakdown of the person flaws addressed by Microsoft at this time, take a look at the SANS Web Storm Heart’s checklist. For these admins answerable for sustaining bigger Home windows environments, it usually pays to keep watch over Askwoody.com, which often factors out when particular Microsoft updates are creating issues for a lot of customers.

As ever, in the event you expertise any issues making use of any of those updates, contemplate dropping a be aware about it within the feedback; likelihood is respectable another person studying right here has skilled the identical situation, and perhaps even has an answer.

Add a Comment

Your email address will not be published. Required fields are marked *