July 9, 2024

Microsoft Corp. today issued software updates to plug at least 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

The first Microsoft zero-day this month is CVE-2024-38080, a bug in the Windows Hyper-V component that affects Windows 11 and Windows Server 2022 systems. CVE-2024-38080 allows an attacker to increase their account privileges on a Windows machine. Although Microsoft says this flaw is being exploited, it has offered scant details about its exploitation.

The other zero-day is CVE-2024-38112, which is a weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. Kevin Breen, senior director of threat research at Immersive Labs, said exploitation of CVE-2024-38112 likely requires the use of an “attack chain” of exploits or programmatic changes on the target host, a la Microsoft’s description: “Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.”

“Despite the lack of details given in the initial advisory, this vulnerability affects all hosts from Windows Server 2008 R2 onwards, including clients,” Breen said. “Due to active exploitation in the wild this one should be prioritized for patching.”

Satnam Narang, senior staff research engineer at Tenable, called special attention to CVE-2024-38021, a remote code execution flaw in Microsoft Office. Attacks on this weakness would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“One of the more successful attack campaigns from 2023 used CVE-2023-23397, an elevation of privilege bug in Microsoft Outlook that could also leak NTLM hashes,” Narang said. “However, CVE-2024-38021 is limited by the fact that the Preview Pane is not an attack vector, which means that exploitation would not occur just by simply previewing the file.”

The security firm Morphisec, credited with reporting CVE-2024-38021 to Microsoft, said it respectfully disagrees with Microsoft’s “important” severity rating, arguing the Office flaw deserves a more dire “critical” rating given how easy it is for attackers to exploit.

“Their assessment differentiates between trusted and untrusted senders, noting that while the vulnerability is zero-click for trusted senders, it requires one click user interaction for untrusted senders,” Morphisec’s Michael Gorelik said in a blog post about their discovery. “This reassessment is crucial to reflect the true risk and ensure adequate attention and resources are allocated for mitigation.”

In last month’s Patch Tuesday, Microsoft fixed a flaw in its Windows WiFi driver that attackers could use to install malicious software just by sending a vulnerable Windows host a specially crafted data packet over a local network. Jason Kikta at Automox said this month’s CVE-2024-38053 — a security weakness in Windows Layer Two Bridge Network — is another local network “ping-of-death” vulnerability that should be a priority for road warriors to patch.

“This requires close access to a target,” Kikta said. “While that precludes a ransomware actor in Russia, it is something that is outside of most current threat models. This type of exploit works in places like shared office environments, hotels, convention centers, and anywhere else where unknown computers might be using the same physical link as you.”

Automox also highlighted three vulnerabilities in Windows Remote Desktop a service that allocates Client Access Licenses (CALs) when a client connects to a remote desktop host (CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076). All three bugs have been assigned a CVSS score of 9.8 (out of 10) and indicate that a malicious packet could trigger the vulnerability.

Tyler Reguly at Fortra noted that today marks the End of Support date for SQL Server 2014, a platform that according to Shodan still has ~110,000 instances publicly available. On top of that, more than a quarter of all vulnerabilities Microsoft fixed this month are in SQL server.

“A lot of companies don’t update quickly, but this may leave them scrambling to update those environments to supported versions of MS-SQL,” Reguly said.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

As ever, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are decent someone else reading here has experienced the same issue, and maybe even has a solution.


23 thoughts on “Microsoft Patch Tuesday, July 2024 Edition

  1. John

    Years DEC led Microsoft to virtualization, WNT the child of many marvelous virtual features from VMS.

    At first Alpha/ent was a thing of beauty. But for decades users have paid the price of Redmond not grasping the beauty of KESU, at best the got kernel and user security with supervisor and exec simply escaping them.

    Only recently did they begin to embrace years old compartmentalization.

    And here we are still paying for lack of foresight.

    -shakes head-

    Reply
    1. Khan Zain

      Your reflections on the evolution of virtualization and the historical context of Microsoft’s approach are quite insightful. Indeed, DEC’s VMS was a pioneer in implementing robust virtual features, and the transition from Alpha/Ent to the modern era has shown how much we’ve learned about the importance of compartmentalization and security.

      Microsoft’s journey with Windows NT and its later iterations reflects a gradual but significant evolution in their understanding of kernel and user space security. While earlier versions may have struggled with these concepts, the recent strides towards better compartmentalization and security practices are a testament to the industry’s growth and the lessons learned from past shortcomings.

      It’s true that the tech landscape often evolves through iterative learning, and sometimes, we pay a price for missed opportunities and slow adoption of best practices. Nevertheless, it’s encouraging to see that the lessons from the past are shaping better, more secure systems today.

      Let’s hope that the continued emphasis on security and compartmentalization will lead to more robust and resilient systems in the future. Thanks for sparking this reflection on the journey from VMS to today’s technologies.

      -shakes head in agreement-

      Reply
  2. Squirrel TT

    Windows security holes can be panes in the neck. Hah!

    Reply
  3. Nobby Nobbs

    “The other zero-day is CVE-2024-38112, which is a weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. ”

    2012 called. They want their buggy browser back.

    But seriously, how is this still a thing?
    Why haven’t they expunged every trace of this POS browser?

    Reply
    1. steven Franzsen

      Open control panel > internet options remind you of IE??

      Not that easy if you remove all traces of IE from windows find SSL and proxies stop functioning.

      Commands like “netsh” stop functioning

      Alot of internet protocols are still refenced in IE dll’s.

      Also, backwards compatibly some older web interfaces require IE to work correctly.

      Reply
      1. Catwhisperer

        Does that mean that three centuries from now we will still have IE dependency? I ask, because almost a half-century has elapsed. You think maybe they would rewrite the code in the last 50 years to not need IE dll’s? Or better yet, and they have no excuse here, slap GPT4 on it (which Microsoft owns, BTW) to rewrite it in rust, go, python or whatever language suits them.

        Reply
        1. Fr00tL00ps

          “Does that mean that three centuries from now we will still have IE dependency?”

          It’s not that simple a task. I learnt COBOL in the late ’80’s and even then it had been around since the ’60’s. Today, it’s still the mainstay underlying many government and corporate systems, particularly finance, and the cost and risks involved to change are enormous, considering there is currently a global shortage in this coding skill set.
          I agree something needs to change, but whole software ecosystems rely on dependencies for their efficiency, and management like efficient. The only fix is rewriting from the ground-up, but as far management is concerned, that is never going to happen.
          You may have already seen this but I’ll post it anyway … https://xkcd.com/2347/

          Reply
    2. William Kemmler

      “But seriously, how is this still a thing? Why haven’t they expunged every trace of this POS browser”

      Because while Microsoft removed all UI and direct access to Internet Explorer they left MSHTML (aka Trident) on people’s systems as a “compatibility feature” (Internet Explorer Mode) for those businesses that are too cheap to update their ancient intranet applications to run in a modern browser.

      If Microsoft weren’t so obsessed with backwards compatibility they’d have removed MSIE completely from every modern version of Windows (8,10,11) and avoided such things like this. But they didn’t. And there we go and here we are.

      Reply
  4. Red

    Microsoft should remove the message stating “You’re up to date”, or at least change it to “You were up to date.” I had a moment of confusion upon openingI Windows Update earlier today and knowing it was Patch Tuesday; I could not believe there were no updates. Then I clicked “Check for updates” and of course there were a bunch.

    Reply
  5. JF

    The excellent AskWoody Newsletter (askwoody.com) (previously Windows Secrets) usually recommends a longer postponement of Windows updates – often 3 weeks or more. You can stay updated through the free or paid version.

    Reply
  6. The Sunshine State

    I didn’t see any problems with installing updates today with both Windows 10 and 11

    Reply
  7. Manhattan

    They’ve mucked up the ability to simply LOCK the machine from the user account popup in Windows 11. Now all I see is account info and the ability to sign out. What sense does this make?

    Reply
  8. Catwhisperer

    “… while the vulnerability is zero-click for trusted senders, it requires one click user interaction for untrusted senders, …”
    The fact that the difference in designation between an important security upgrade and a critical security upgrade is ONE USER CLICK, goes a long way to explain why we have the security issues we have today with Windows. Imagine how often you have clicked on something by accident meaning to click the adjacent box.

    Reply
    1. RK

      Over the past few months I’ve been having a problem that appears to be the Windows Update UI not updating properly. It looks like it’s frozen on an update, so I quit update and restart it and find that the update had finished. Very frustrating. Don’t know what’s up with that. It can happen multiple times during an update. Very frustrating. — Stuck at 94% for two hours def sounds abnormal. Sometimes I run Resource Monitor to check whether anything is still going on. Hope you get it worked out.

      Reply
      1. Steven

        I can add that I have also experienced this and rebooting does the trick.

        Reply
        1. RK

          You are absolutely right. “Reboot,” not “quit and restart update” as I said above. I’ve had to reboot multiple times to get update to finish. I then ran “dism.exe /online /cleanup-image /restorehealth” and “sfc /scannow” to check for corrupt files. It found some and fixed them. The June 2024 update went OK and I did not have to do any reboots. THX

          Reply
  9. Dandy

    2 RDS VMs Ended stuck at the Win Boot logo, had to restore front backup.

    Reply
  10. Steven

    Thank you for making me aware of askwoody.com. It’s a fantastic resource.

    Reply
    1. JF

      Yes, it’s very good. Recommend that you support it and get the Plus version. 😉

      Reply
  11. Kwill

    The update installed (with no errors displayed) on my new Windows 11 Dell G15 laptop on July 13th. For the past 6 days I have been trying to figure out why my previously very fast laptop was sluggish and stuttering. Even just opening the start menu could suffer a delay.
    I pulled up health checks on the SSD, ran malware scans, checked for rogue processes. Nothing. CPU looked normal, memory was fine.
    Today I uninstalled this update and was back to normal after the reboot.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *