10 July 2024

Microsoft July 2024 Patch Tuesday fixes two zero-days


Microsoft July 2024 Patch Tuesday fixes two zero-days

Microsoft has rolled out its July 2024 Patch Tuesday security updates designed to fix over 140 vulnerabilities across a wide range of products. The release also includes fixes for two actively exploited zero-day vulnerabilities.

One of the zero-days is a Windows Hyper-V elevation of privilege vulnerability (CVE-2024-38080), which exists due to integer overflow in Windows Hyper-V component. A local user can trigger an integer overflow and execute arbitrary code with SYSTEM privileges. The flaw affects Windows versions before 11 23H2 10.0.22631.3880 and Windows Server versions before 2022 10.0.20348.2582.

The second zero-day flaw (CVE-2024-38112) affects Windows MSHTML Platform and can be exploited by a remote attacker to perform spoofing attack and trick the victim into executing a specially crafted file. The issue impacts Microsoft Internet Explorer v 11 - 11.1790.17763.0, Windows: before 11 23H2 10.0.22631.3880, Windows Server: before 2022 10.0.20348.2582.

In addition, Microsoft has fixed two previously disclosed security vulnerabilities tracked as CVE-2024-35264 (.NET and Visual Studio remote code execution bug) and CVE-2024-37985 (an information disclosure issue).

Besides the above-mentioned flaws, the Windows maker addressed a slew of high-severity vulnerabilities affecting Microsoft Office, Microsoft Windows Remote Desktop Licensing Service, Microsoft Windows MultiPoint Services, Microsoft Windows Graphics Component, OLE DB Driver for SQL Server, SQL Server Native Client OLE DB Provider, and other components.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024