Skip to content

Microsoft patches 142 vulnerabilities, including two actively exploited

  • by
  • 3 min read

Microsoft’s July 2024 Patch Tuesday was a busy day for Redmond. It patched 142 flaws, including two actively exploited and two publicly disclosed zero-day vulnerabilities. Another five remote code execution (RCE) flaws were patched as well. These fixes are separate from the 33 other vulnerabilities Microsoft patched in its Chromium-based Edge browser.

The two actively exploited vulnerabilities were as follows:

  • CVE-2024-38080: With a CVSS score of 7.8, this is a Windows Hyper-V privilege escalation vulnerability. It is the first of 44 Hyper-V flaws under exploitation in the wild since 2022.
  • CVE-2024-38112: Rated 7.5 on the CVSS scale, this is a platform spoofing vulnerability in the Windows MSHTML component. Check Point security researcher Haifei Li discovered and reported the flaw. Since January 2023, it has been exploited by leveraging the Internet Explorer shortcut files to enable remote code execution on Windows 10 and 11 systems.

As mentioned before, two publicly disclosed zero-day vulnerabilities were also patched in the latest round of fixes. These include CVE-2024-37985 and CVE-2024-35264 with CVSS scores of 5.9 and 8.1 respectively. CVE-2024-37985 can be exploited in a side-channel attack known as FetchBench that allows an attacker to access heap memory from a high-privilege process running on ARM systems. CVE-2024-35264 is a remote code execution flaw in .NET and Visual Studio.

Close up of a Windows laptop keyboard, featuring the Fn, Windows, Alt and Z keys.

A spoofing bug in the RADIUS protocol dubbed CVE-2024-3596 has also been patched. The vulnerability can be exploited in an attack named Blast-RADIUS and allows an attacker to take over RADIUS networks by intercepting network traffic between the server and client using MITM (man-in-the-middle) attacks.

Another notable issue that Redmon dispatched was a remote code execution vulnerability in Microsoft Office dubbed CVE-2024-38021. If exploited, it allows an attacker to elevate privileges and gain access to read, write, and delete functionality within the suite. The flaw was reported to Microsoft by Morphisec in April 2024, who explained the severe risk of widespread exploitation considering the zero-click nature of the bug in a detailed technical breakdown.

Overall, security patches for the following vulnerabilities were released.

  • 59 remote code execution vulnerabilities
  • 26 Privilege elevation vulnerabilities
  • 24 security feature bypass vulnerabilities
  • 17 denial of service vulnerabilities
  • 9 information disclosure vulnerabilities
  • 7 spoofing vulnerabilities.

In the News: Google’s Advanced Protection Program adds passkeys for security

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>