Microsoft Security Update Summary (July 9, 2024)

Update[German]On July 9, 2024, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 138 vulnerabilities (CVEs), including five critical vulnerabilities (two are already being exploited). Below is a compact overview of the updates that were released on Patchday.


Advertising

Notes on the updates

A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.

Windows 10/11, Windows Server

All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.

Windows Server 2012 R2

Windows Server 2012 /R2 will receive regular security updates until October 2023. From this point onwards, an ESU license is required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).

Fixed vulnerabilities

Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:

  • CVE-2024-38080: Windows Hyper-V Elevation of Privileg Vulnerability, CVEv3 Score7.8, important; A local, authenticated attacker can exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, this vulnerability was exploited as a zero-day. It was reported by a researcher who wishes to remain anonymous. No further details about the exploitation of the vulnerability in the wild have been disclosed.
  • CVE-2024-38112:  Windows MSHTML Platform Spoofing Vulnerability,  CVEv3 Score 7.5, important; An unauthenticated, remote attacker could exploit this vulnerability by tricking a potential target into opening a malicious file. Microsoft points out that in order to successfully exploit this vulnerability, an attacker would need to take "additional measures" to "prepare the target environment". According to Microsoft, this vulnerability has been exploited as a zero-day vulnerability.
  • CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability, CVEv3 Score 8.1, important; According to the advisory, an attacker must exploit a race condition, which is classified as "less likely".
  • CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability, CVEv3 Score 8.8, critcal; The RCE vulnerability affects the Windows Imaging Component, a framework used to process images. Microsoft classifies this vulnerability as "Exploitation More Likely". To exploit this vulnerability, an attacker must be authenticated and use this access to upload a malicious TIFF (Tag Image File Format) file, a type of image used for graphics.
  • CVE-2024-38059, CVE-2024-38066: Windows Win32k Elevation of Privileg Vulnerability, CVEv3 Score 7.8, important, EoP vulnerabilities affecting Windows Win32k, a core kernel-side driver used in Windows. An attacker could exploit these vulnerabilities as part of post-compromise activities to elevate privileges on SYSTEM. Microsoft classifies these vulnerabilities as "Exploitation More Likely".
  • CVE-2024-38021: Microsoft Office Remote Code Execution Vulnerability, CVEv3 Score 8.8, important, an RCE vulnerability affecting Microsoft Office 2016. Successful exploitation allows an attacker to gain elevated privileges (including read, write and delete functions). Microsoft points out that to exploit the vulnerability, an attacker would need to create a malicious link to bypass the Protected View Protocol. According to Microsoft's description, an attacker would have to trick a user into clicking on the link, likely by sending it to an unsuspecting user in a phishing attack. This would result in the attacker gaining access to local NTLM credentials that could be used for advanced access to reach RCE.

Furthermore, Microsoft has published 38 CVEs for Microsoft OLE DB Driver and SQL Server Native Client OLE DB Provider Remote Code Execution vulnerabilities (all CVEv3 Score 8.8) which are listed here. A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:

  • .NET and Visual Studio
  • Active Directory Federation Services
  • Azure CycleCloud
  • Azure DevOps
  • Azure Kinect SDK
  • Azure Network Watcher
  • Line Printer Daemon Service (LPD)
  • Microsoft Defender for IoT
  • Microsoft Dynamics
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Outlook
  • Microsoft Office SharePoint
  • Microsoft Streaming Service
  • Microsoft WS-Discovery
  • Microsoft Windows Codecs Library
  • Microsoft WS-Discovery
  • NDIS
  • Role: Active Directory Certificate Services; Active Directory Domain Services
  • Role: Windows Hyper-V
  • SQL Server
  • Windows BitLocker
  • Windows COM Session
  • Windows CoreMessaging
  • Windows Cryptographic Services
  • Windows DHCP Server
  • Windows Distributed Transaction Coordinator
  • Windows Enroll Engine
  • Windows Fax and Scan Service
  • Windows Filtering
  • Windows Image Acquisition
  • Windows Internet Connection Sharing (ICS)
  • Windows iSCSI
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows LockDown Policy (WLDP)
  • Windows Message Queuing
  • Windows MSHTML Platform
  • Windows MultiPoint Services
  • Windows NTLM
  • Windows Online Certificate Status Protocol (OCSP)
  • Windows Performance Monitor
  • Windows PowerShell
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Secure Boot
  • Windows Server Backup
  • Windows TCP/IP
  • Windows Themes
  • Windows Win32 Kernel Subsystem
  • Windows Win32K – GRFX
  • Windows Win32K – ICOMP
  • Windows Workstation Service
  • XBox Crypto Graphic Services

Similar articles:
Microsoft Security Update Summary (July 9, 2024)
Patchday: Windows 10/Server Updates (July 9, 2024)
Patchday: Windows 11/Server 2022-Updates (July 9, 2024)
Windows Server 2012 / R2 und Windows 7 (July 9, 2024)
Microsoft Office Updates (July 9, 2024)


Advertising


Advertising

This entry was posted in Office, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).