Microsoft patched four zero-day bugs that were part of its' July Patch Tuesday update bringing the total number of updates to 139 fixes.
The Redmond software giant said that four of the of patched flaws are already known to the public and two are currently under active exploit.
If there is some good news to be had for administrators, it is that none of the four zero-day vulnerabilities are considered critical. That is, none of the four would directly lead to an attacker seizing remote control of the target machine. Rather, the attacker would already need to have access to the vulnerable server in order to pull off an attack.
The first bug, tracked as CVE-2024-38080, describes an elevation of privilege flaw in the Windows hypervisor that could allow a client account in Hyper-V to gain system access. The flaw is currently under active exploitation.
“This vulnerability could allow an authenticated threat actor to execute code with SYSTEM privileges,” explained Dustin Child of the Trend Micro Zero Day Initiative.
“While not specifically stated by Microsoft, let’s assume the worst-case scenario and say that an authorized user could be on a guest OS.”
Also under exploit is CVE-2024-38112, a vulnerability shrouded in mystery despite being actively exploited.
“This bug is listed as ‘Spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” said Childs.
“Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”
For its part, Microsoft noted that the vulnerability would require an attacker to convince the targeted user to open a specially-crafted malware file in order to gain privileges and execute an attack. Under Redmond’s criteria, the requirement of user interaction is usually enough to downgrade the severity of an attack.
In addition to the zero day flaws, Microsoft has issued updates for five vulnerabilities considered to be critical remote code execution bugs.
Three of the flaws lie within the Microsoft Windows Remote Desktop Licensing Service component. Successful exploitation of the attack would potentially allow for remote takeover of the vulnerable server.
Childs said that while the Remote Desktop Licensing Service may not be widely used, it would be essential for those that require it.
“As a temporary workaround, you could disable the Licensing Service, but if you’re running it, you likely need it,” the researcher explained.
“I would also ensure these servers are not addressable to the Internet. If a bunch of these servers are Internet-connected, I would expect exploitation soon.”
As with all Patch Tuesday updates, administrators and home users are advised to test and deploy the patches as soon as possible in order to avoid attacks from the now known vulnerabilities.
