It’s Tuesday, which means it’s patch notes from Microsoft, and today’s release brings home 142 bugs and four concrete zero-days. The notes for July have a lot going on, with a range of notable zero days; the two that caught my eye were one for Outlook/Office, one for .NET and Visual Studio, and a lot of other stuff.
Notably, researchers from Morphisec have uncovered a critical remote code execution (RCE) vulnerability in Microsoft Outlook, labeled CVE-2024-38021. This discovery follows the previously identified CVE-2024-30103, a vulnerability disclosed in June.
CVE-2024-38021: A zero-click RCE in Outlook
This CVE represents a particularly alarming threat as it requires no user interaction for exploitation if the email is from a trusted sender. This zero-click nature of the vulnerability can lead to unauthorized access, data breaches, and the execution of arbitrary code, all without the user needing to click or open the email. The vulnerability requires one click for emails from untrusted senders, which still poses a significant risk.
Michael Gorelik, CTO at Morphisec, emphasized the gravity of the situation, stating, “Given the broader implications of this vulnerability, particularly its zero-click vector for trusted senders and its potential for much wider spread impact, we have requested Microsoft to reassess the severity and label it as ‘Critical.’”
For the time being, Microsoft has labeled it as “Important.”
Unlike the previous CVE, which requires some form of user authentication (e.g., an NTLM token), CVE-2024-38021 bypasses such requirements entirely. This difference significantly elevates the risk profile of the new vulnerability. According to the researchers, exploitation of CVE-2024-30103 involved bypassing Outlook registry block lists to create malicious DLL files, but it still demanded valid Exchange user credentials. In contrast, CVE-2024-38021 can be exploited without authentication, making it easier for attackers to execute.
The findings will be further detailed at the upcoming DEF CON 32 conference in Las Vegas, where Morphisec researchers will present their technical findings and proofs of concept for both CVEs. The “Outlook Unleashing RCE Chaos” presentation will provide deeper insights into the vulnerabilities and their implications.
CVE-2024-35264: RCE in Visual Studio and .NET
The CVE-2024-35264 is a remote code execution vulnerability impacting Visual Studio and .NET. Classified as “Important,” this vulnerability stems from a use-after-free weakness with a CVSS score 8.1. The flaw can be exploited over the network without user interaction or privileges.
However, the attack complexity is high, involving a race condition triggered by closing an HTTP/3 stream while the request body is still being processed.
CVE-2024-38112: MSHTML Platform Spoofing
Check Point Research recently uncovered a new method attackers use to exploit a vulnerability in Windows systems through Internet Shortcut files (.url). These malicious .url files are crafted to look like they open legitimate files, such as PDFs, but instead, they trigger Internet Explorer (IE) to access attacker-controlled websites. The attackers exploit IE’s known security weaknesses to run harmful code on the victim’s computer.
The attackers send a .url file to the victim, which normally would contain a simple link like URL=https://www.google.com. However, these malicious files use a different format with a mhtml: prefix and a special string !x-usc: to deceive Windows into opening the link with IE. The file is named and designed to appear as a PDF link. When the user clicks on it, thinking they’re opening a PDF, IE opens and attempts to visit the malicious site specified in the .url file.
The concern here is significant because, although retired, IE is still part of Windows and can be exploited more easily than modern browsers like Chrome or Edge. This vulnerability, now identified as CVE-2024-38112, was unknown before the attackers used it, making it a zero-day vulnerability that gave them a substantial advantage.
There is a lot of other stuff worth looking at, too. Several critical vulnerabilities, such as CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076, affect the Windows Remote Desktop service. Each flaw, with a CVSS score of 9.8, could be exploited through a malicious packet to trigger remote code execution.
Additionally, the update tackled CVE-2024-38053, a “ping-of-death” vulnerability in the Windows Layer Two Bridge Network. Similar to a previously patched flaw in the Windows WiFi driver (from June notes), this vulnerability allows attackers to send specially crafted data packets over a local network to install malicious software.
Then there is CVE-2024-38080, an elevation of privilege flaw in Windows Hyper-V. This vulnerability, caused by an integer overflow, allows attackers to gain SYSTEM privileges with low attack complexity and no user interaction required. The issue affects various Windows Server 2022 and Windows 11 versions, including both x64 and ARM64-based systems. Microsoft has confirmed active exploitation.
The other noteworthy vulnerability fixed this month is CVE-2024-38060, which impacts the Windows Imaging Component (WIC). This framework is used to parse images and related metadata. The flaw allows authenticated attackers to achieve remote code execution by uploading malicious TIFF images to a server.
Microsoft has fixed CVE-2024-37985 (disclosed by Intel), a publicly disclosed vulnerability related to a “FetchBench” side-channel attack. This issue could allow an attacker to steal sensitive information by viewing heap memory from a privileged process on the server. Exploitation requires specific preparatory actions by the attacker to set up the target environment, but the potential impact on data confidentiality makes it a critical fix.
I must say that tackling 142 bugs in total is no small feat. Many threat actors will pay attention to these critical bugs, particularly RCEs that don’t require authentication. I am dying to know more about this Outlook bug because, depending on its actual severity, it might shake up the rest of the year. DEF CON is only a month away!
This article was updated on July 10 at 9:25 GMT to include two additional noteworthy vulnerabilities suggested by a reader.
