Microsoft’s July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released

July 9, 2024

Microsoft's July security update includes patches for a staggering 139 unique Common Vulnerabilities and Exposures (CVEs), two of which are already being exploited by attackers. This update contains more fixes than the previous two monthly releases combined, addressing a range of vulnerabilities that could lead to remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities if left unaddressed. The update also includes patches for four non-Microsoft CVEs, including a publicly known vulnerability in Intel microprocessors.

One of the zero-day vulnerabilities, CVE-2024-38080, affects Microsoft's Windows Hyper-V virtualization technology, allowing an authenticated attacker to execute code with system-level privileges on affected systems. Despite Microsoft's assessment of the vulnerability as easily exploitable without requiring any special privileges or user interaction, the company has given it only a moderate severity rating of 6.8 on the 10-point CVSS scale. Kev Breen, senior director threat research at Immersive Labs, emphasized the need for immediate patching given that attackers are already actively exploiting the flaw.

The other zero-day bug, CVE-2024-38112, affects the Windows MSHTML Platform and has a moderate CVSS severity rating of 7.0. Microsoft described this bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link. The precise nature of the threat it poses has left some experts puzzled.

Two bugs that were publicly known prior to Microsoft's July update, CVE-2024-35264 and CVE-2024-37985, are also technically zero-day flaws. The former is a remote code execution vulnerability in .Net and Visual Studio, while the latter is an Intel CVE that Microsoft has included in its update.

Microsoft rated only four of the flaws in its massive update as critical. Three of these, CVE-2024-38076, CVE-2024-38077, and CVE-2024-38089, affect the Windows Remote Desktop Licensing Service component and all enable remote code execution. Microsoft suggests organizations disable the Remote Desktop Licensing Service if they are not using it, and immediately install the patches for these vulnerabilities even if they plan to disable the service.

A surprising element in this month's Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — 39 in total, or more than a quarter of the 139 disclosed vulnerabilities. Even though none of them are deemed critical based on their CVSS scores and are all listed as 'Exploitation Less Likely', there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will need to patch.

The trend of recent months continues, with 20 elevation of privilege (EoP) bugs in this month's update, slightly outnumbering remote code execution vulnerabilities (18). Despite the tendency of Microsoft and other software vendors to rate EoP bugs as less severe than remote code execution vulnerabilities, security researchers argue that security teams should pay equal attention to both.

Latest News

• Blast-RADIUS Attack Exploits RADIUS Authentication Protocol Vulnerability
• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
• Ghostscript Library's RCE Bug Now Being Exploited in Attacks
• CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog
• Cisco Patches NX-OS Zero-Day Exploited by Chinese Threat Actor Velvet Ant