Patch Tuesday July 2024: Two Active Exploitations and Exchange Data Breach Notifications

It’s not only the summer heat that’s causing system administrators to sweat this month. July sees Microsoft releasing fixes to address 142 vulnerabilities! Alongside the increased number of vulnerabilities versus the previous month, there are also two vulnerabilities Under Active Exploitation that have the potential to keep security and operation teams busy. One of these zero days vulnerabilities Under Exploit has a huge footprint as if affects all versions since Windows 2008 R2, and the second affects Windows Hyper-V so it has the potential to affect mission critical assets.

However, of perhaps even greater importance is an issue highlighted by Kevin Beaumont in a LinkedIn post that highlights data breach notifications from Microsoft concerning Microsoft 365 customer data. In short, if you use Microsoft 365 you should be searching for any emails from [email protected] across all tenants.

Microsoft Vulnerabilities

For the 142 vulnerabilities that have received fixes this month four of them are previously undisclosed zero day vulnerabilities, with two of them Under Active Exploitation. The five critical vulnerabilities addressed this month are all RCEs. While none of these vulnerabilities carry any catchy celebrity names, they all represent significant risks that should make them priority items.

The two Actively Exploited zero-days—CVE-2024-38080 Windows Hyper-V Elevation of Privilege Vulnerability and CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability—should be trivial to deal with as they can both be addressed by applying either CUs or Security Updates for affected systems.

CVE-2024-38080 only affects Windows Server 2022 and Windows 11 and the effort to address this vulnerability boils down to applying KB5040438, KB5040442, KB5040431, or KB5040437, which should make this vulnerability easy for teams to address.

CVE-2024-38112 affects a much larger install base of Windows systems. All Windows systems from Windows Server 2008 and forward are affected by this vulnerability. Information about this vulnerability is currently sparse. Microsoft only mentions that the vulnerability requires an attacker to take pre-stage actions on a system before the vulnerability can be leveraged, but once a system is prepped the vulnerability can be exploited with a malicious file that would be executed on the endpoint. Since details are so sparce this could also mean that some systems have already been configured in such a way that they are susceptible to the vulnerability. The lack of details and the fact that this vulnerability is currently being exploited should make any defenders a little uneasy, however the good news is that the fix is only a patch away.

The other two zero-days that are not currently under exploitation are CVE-2024-35264 .NET and Visual Studio Remote Code Execution and CVE-2024-37985 which affects Windows 11 ARM based systems. The much smaller deployment base than the two actively exploited zero-days means these two may not get much initial attention, but as with any vulnerability you will still need to perform appropriate risk evaluations and apply fixes in a timely manner.

Did You Check Your Email? No, the Other Email.

It is super important to know how any vendors you interact with will provide notifications of data breaches. Will it be a phone call, an email, or certified letter? Knowing where to look for these notifications is just part of having your processes and procedures figured out and documented. But those channels of communication aren’t always one hundred percent reliable.  

The notification process for alerting M365 customers that they were subject to the Midnight Blizzard data breach ran into some issues this June and July. The apparent issue failure was due to Microsoft not providing notifications in the portal and relying only on sending notification emails to tenant admins, which don’t always have mailboxes setup and are often unmonitored.

It’s recommended you search your incoming mail archive or any catch-all addresses for any emails from [email protected] since Microsoft initial disclosed the Midnight Blizzard breach in March.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd