ION Advisory: July 2024 Microsoft Patch Tuesday 

This Microsoft July update consists of 142 patches for Microsoft products. Four of these vulnerabilities are rated ‘critical’, with two already being exploited. The update addresses vulnerabilities in the following threat categories:

• Remote Code Execution (RCE): This category saw the most patches, with 59 vulnerabilities addressed. These vulnerabilities could allow an attacker to remotely execute code on a victim’s machine, potentially taking complete control of the system.
• Elevation of Privilege: 26 vulnerabilities were patched that could allow attackers to elevate their privileges on a system. This could give them access to resources and data that they shouldn’t normally be able to access.
• Security Feature Bypass: 24 vulnerabilities were addressed that could allow attackers to bypass security features designed to protect systems.
• Information Disclosure: 9 vulnerabilities were patched that could allow attackers to steal sensitive information from a system.
• Denial of Service (DoS): 17 vulnerabilities were addressed that could allow attackers to crash a system or make it unavailable to legitimate users.
• Spoofing: 7 vulnerabilities were patched that could allow attackers to spoof their identity and trick users into trusting them

At the point of publication, this vulnerability has not yet been reported as actively exploited.

Publicly disclosed

• CVE-2023-50868 – NSEC3 closest encloser proof can exhaust CPU

Originally published in February, this vulnerability in DNSSEC validation is where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service (DOS) for legitimate users. It affects not only Microsoft’s DNS implementations but several other DNS servers. The vulnerability was made public by researchers from several German universities and research labs. They called it “KEYTRAP” and released a paper with details.

Noteworthy

• CVE-2024-30103 – Microsoft Outlook Remote Code Execution Vulnerability

This RCE is noteworthy as it is a zero click vulnerability that requires no user interaction to execute. In this exploit, an attacker abuses the preview pane in Microsoft Outlook to bypass the Outlook registry block lists and enable the creation of malicious DLL files. In reality, this means a victim just needs to open an email and the exploit will self execute, no further action is required. This lack of required user interaction, combined with the straightforward nature of the exploit, increases the likelihood that adversaries will leverage this vulnerability for initial access. Once an attacker successfully exploits this vulnerability, they can execute arbitrary code with the same privileges as the user, potentially leading to a full system compromise.

This vulnerability was discovered by Morphisec researchers and is not yet publicly disclosed. However, they have noted they will release the technical details in the coming weeks and it is recommended to update Microsoft Outlook clients immediately to mitigate the risk associated with this vulnerability.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report:  https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202024/31000