Microsoft has released patches to address a total of 143 vulnerabilities as part of its monthly security updates, two of which are actively exploited in the wild.
Five of the 143 vulnerabilities are rated critical, 136 are important, and four are moderate. The fixes come in addition to 33 vulnerabilities that were addressed in the Chromium-based Edge browser over the past month.
The two vulnerabilities that were exploited are as follows:
CVE-2024-38080 (CVSS Score: 7.8) – Windows Hyper-V Elevation of Privilege Vulnerability CVE-2024-38112 (CVSS Score: 7.5) – Windows MSHTML Platform Spoofing Vulnerability
Microsoft said of the vulnerability, CVE-2024-38112: “Successful exploitation of this vulnerability requires the attacker to take additional actions prior to exploitation to prepare the target environment. The attacker must send a malicious file to the victim before the victim can execute it.”
Check Point security researcher Haifei Li, who is credited with discovering and reporting the flaw in May 2024, said that threat actors are taking advantage of specially crafted Windows Internet Shortcut (.URL) files, which when clicked, redirect victims to a malicious URL by invoking the retired Internet Explorer (IE) browser.
“An additional trick in Internet Explorer is used to hide the name of the malicious .HTA extension. By opening the URL using Internet Explorer instead of the modern and more secure Chrome/Edge browser on Windows, the attacker gains significant advantages in exploiting the victim’s computer, even though the computer is running the latest Windows 10/11 operating system,” he explained to me.
Artifacts using the attack technique were uploaded to malware scanning platform VirusTotal as early as January 2023, indicating that threat actors have been aware of the vulnerability for more than 1.5 years.
Check Point told The Hacker News that it observed .URL samples being used to deliver a data thief called Atlantida, which was documented by Rapid7 earlier this year as malware that allows the theft of login credentials, cryptocurrency wallet data, information stored in web browsers, screenshots, and device data.
The malware campaign, which primarily targeted users in Turkey and Vietnam in mid-May 2024, reportedly abused compromised WordPress sites to launch attacks via HTML Application (.HTA) and PowerShell files to deliver Atlántida to victim hosts.
Initial findings from Check Point indicate that at least two different threat groups are exploiting CVE-2024-38112 in simultaneous campaigns as part of what is suspected to be a financially motivated operation.
“We saw a computer chip manufacturer and a company developing better-designed products (targeted),” the company said, adding, “Both are high-tech companies, which could indicate a supply chain attack or product interest.”
“CVE-2024-38080 is a privilege escalation vulnerability in Windows Hyper-V. An authenticated, local attacker could exploit this vulnerability to escalate privileges to the system level after an initial compromise of a targeted system,” said Satnam Narang, Senior Research Engineer at Tenable.
While the exact details surrounding the CVE-2024-38080 abuse are currently unknown, Narang noted that this is the first of 44 Hyper-V flaws that have become exploitable since 2022.
Two other vulnerabilities that Microsoft has patched are listed as publicly known at the time of release. These include a side-by-side attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could allow an adversary to view the cache from a privileged process running on Arm-based systems.
The second publicly announced vulnerability is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug that affects .NET and Visual Studio.
“An attacker could exploit this issue by closing the http/3 stream while the request body is being processed, resulting in a race condition. This could lead to remote code execution,” Redmond said in an advisory.
37 remote code execution vulnerabilities affecting the SQL Server Native Client OLE DB provider, 20 Secure Boot bypass vulnerabilities, three PowerShell privilege escalation bugs, and a RADIUS spoofing vulnerability (CVE-2024-3596 also known as BlastRADIUS) were also resolved as part of the Patch Tuesday updates.
“The SQL Server flaws specifically affect the OLE DB provider, so not only will SQL Server versions need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed,” said Greg Weisman, principal product manager at Rapid7.
“For example, an attacker could use social engineering tactics to trick an authenticated user into attempting to connect to a SQL Server database that is configured to return malicious data, allowing arbitrary code to be executed on the client.”
The long list of fixes is completed by CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could allow an attacker to gain elevated privileges, including read, write, and delete functions.
Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability requires no authentication and poses a high risk due to its zero-click nature.
“Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause significant damage without any user interaction,” said Michael Gorelick. “The lack of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.”
These fixes come as Microsoft announced late last month that it would begin releasing CVE IDs for cloud-related vulnerabilities in the future in an effort to improve transparency.
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors in the past few weeks to patch several vulnerabilities, including –
(Story updated after publication to include additional comments from Check Point.)
