A vulnerability in the "Hyper-V" hypervisor is being exploited in the wild, Microsoft said on July’s Patch Tuesday as it pushed out 143 patches.
The elevation of privilege (EOP) bug, allocated CVE-2024-38080 gives a successful attacker SYSTEM privileges Microsoft said. It was disclosed anonymously and Redmond did not say how widespread exploitation is.
Redmond patched two actively exploited bugs, as well as five critical vulnerabilities, all of which were remote code execution (RCE) bugs.
The other known exploited bug is CVE-2024-38112 affecting a wide range of Windows server and desktop versions. The bug is in the Windows MSHTML dynamic link library and Microsoft lists it as a “spoofing” one.
As the ZDI notes: “it’s not clear exactly what is being spoofed.
“Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here… The good news is that a user would need to click a link to be affected. The bad news is that users click anything.”
Microsoft issued patches for four non-Microsoft CVEs and 139 Microsoft ones. Of the patches, five are rated critical in severity, 133 important.
Microsoft released patches for a number of RCE bugs including several affecting the Windows Remote Desktop Licensing Service.
Tom Bowyer, Director IT Security, Automox, noted of this trio of CVSS 9.8-rated bugs (CVE-2024-38077, CVE-2024-38074, CVE-2024-38076) that “often, these features are enabled by default within Windows Server, so it’s worth taking the time to check… School districts, government infrastructure, and SLED-type Windows environments are particularly vulnerable due to their widespread use of Remote Desktop services.”
“This release is another huge bunch of fixes from Redmond, just shy of the record 147 CVEs from back in April this year," wrote Dustin Childs of the Zero Day Initiative. Describing the Hyper-V vulnerability, Childs added: "While not specifically stated by Microsoft, let’s assume the worst-case scenario and say that an authorized user could be on a guest OS.
“Microsoft also does not state how widespread the exploitation is, but this exploit would prove quite useful for ransomware. If you’re running Hyper-V, test and deploy this update quickly” he emphasised.
SAP also today released eighteen new and updated SAP security patches, including two High Priority Notes, none known exploited.
Adobe released three patches addressing seven CVEs, including four critical ones in InDesign – again, none known-exploited.
Bon chance to those with an evening of patching ahead. May nothing break.
