Microsoft has released patches for security flaws
Microsoft has released patches addressing 143 security flaws as part of its monthly updates, including two actively exploited vulnerabilities: CVE-2024-38080 (Windows Hyper-V Elevation of Privilege) and CVE-2024-38112 (Windows MSHTML Platform Spoofing).
Among these flaws, five are rated Critical, 136 Important, and four Moderate.
The updates also include fixes for 33 vulnerabilities in the Chromium-based Edge browser.
CVE-2024-38112 involves attackers using specially crafted Windows Internet Shortcut files to redirect victims to malicious URLs via Internet Explorer, bypassing more secure modern browsers. This attack technique has been in use since January 2023 and has targeted users in Turkey and Vietnam with malware named Atlantida, which steals login credentials and other sensitive data.
CVE-2024-38080 allows local, authenticated attackers to elevate privileges to SYSTEM level on compromised systems. It’s the first of 44 Hyper-V flaws to be exploited since 2022.
Other notable patches include CVE-2024-37985, a side-channel attack on Arm-based systems, and CVE-2024-35264, a remote code execution bug in .NET and Visual Studio. Additional fixes were made for SQL Server Native Client OLE DB Provider, Secure Boot security bypass vulnerabilities, PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol.
Microsoft has addressed several security flaws, including CVE-2024-38021, a severe remote code execution vulnerability in Microsoft Office with a CVSS score of 8.8. Reported by Morphisec, this zero-click flaw allows attackers to gain high privileges without user interaction, posing a significant risk. In response, Microsoft will start issuing CVE identifiers for cloud-related vulnerabilities to enhance transparency.
