Microsoft has announced the release of security patches addressing a staggering 143 vulnerabilities as part of its latest monthly updates. Among these issues, two have been confirmed to be actively exploited, heightening concerns for organizations relying on Microsoft software. The updates, which categorize five vulnerabilities as Critical, 136 as Important, and four as Moderate, also complement the patching of 33 vulnerabilities in the Chromium-based Edge browser that occurred in the past month.
The two notable vulnerabilities that have come under active exploitation are identified as CVE-2024-38080, a Windows Hyper-V Elevation of Privilege Vulnerability with a CVSS score of 7.8, and CVE-2024-38112, a spoofing vulnerability related to the MSHTML platform, carrying a CVSS score of 7.5. Microsoft has emphasized that exploiting CVE-2024-38112 necessitates preconditions, including the requirement for an attacker to send a malicious file to the victim that must be executed for the attack to succeed.
The threat landscape has been further elucidated by Check Point researcher Haifei Li, who unveiled that attackers are utilizing specially crafted Windows Internet Shortcut files (.URL). These files, when clicked, redirect users to a malicious URL via the now-retired Internet Explorer browser, systematically bypassing defenses that protective modern browsers would typically provide. This manipulation of legacy technology gives attackers a significant edge, allowing them to employ zero-day tactics effectively.
Furthermore, it has been revealed that artifacts employing this attack strategy have been detected on the VirusTotal malware scanning platform as early as January 2023. This indicates a prolonged awareness and exploitation of the vulnerability by threat actors. The exploitation is not limited to individual users, as Check Point noted a broader campaign targeting organizations, particularly in high-tech sectors, suggesting a potential supply chain attack motive.
The CVE-2024-38080 vulnerability allows local authenticated attackers to escalate privileges to SYSTEM level after an initial compromise, with its exploitation being unprecedented among the 44 Hyper-V flaws cataloged since 2022. This signifies the critical nature of Hyper-V vulnerabilities, especially concerning environments that utilize virtualization technology.
In addition to these security flaws, Microsoft has addressed several other vulnerabilities, including a side-channel attack affecting privileged processes on Arm-based systems (CVE-2024-37985) and a remote code execution flaw impacting .NET and Visual Studio (CVE-2024-35264) with a CVSS score of 8.1. These vulnerabilities, if exploited, could lead to significant damage and unauthorized access to systems.
Notably, further analysis of the security updates reveals additional remote code execution flaws across various Microsoft products, including SQL Server, which heightens concerns related to data integrity and security for businesses that depend on these tools.
The risks presented by these vulnerabilities are exacerbated by the absence of authentication requirements for some, allowing attackers to gain unauthorized access and execute arbitrary code without direct user interaction. This has been underscored by Morphisec, a security firm that highlighted the zero-click nature of such exploits, making them particularly menacing for organizations.
In summary, the recent security updates issued by Microsoft underscore a critical juncture in the realm of cybersecurity, as businesses must remain vigilant against ongoing exploitations of previously patched vulnerabilities. The targeting of systems within the tech industry, particularly those utilizing outdated software and processes, hints at a strategic focus by adversaries on exploiting entrenched vulnerabilities. Employing defense strategies in alignment with the MITRE ATT&CK framework—specifically tactics related to initial access, privilege escalation, and exploitation techniques—will be essential for safeguarding sensitive enterprise environments against these emerging threats.
