Microsoft Discloses ‘Gargantuan’ Release Of Patch Tuesday Fixes: Researcher

The 138 new CVEs (Common Vulnerabilities and Exposures) is ‘just shy of the record’ for Microsoft’s monthly release of security fixes, writes Trend Micro’s Dustin Childs.

Microsoft made fixes available Tuesday for five critical vulnerabilities as part of its July patch release — while disclosing fixes for a near-record number of new CVEs (Common Vulnerabilities and Exposures) overall, according to a Trend Micro researcher.

The flaws received patches as part of Microsoft’s monthly release of software bug fixes, popularly known as “Patch Tuesday.”

[Related: CrowdStrike CEO George Kurtz: Microsoft Recall Shows Security Promises Are ‘Purely Lip Service’]

Microsoft released a total of 138 new CVEs on Tuesday, which is a “gargantuan” number for a single month, wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a blog post.

As usual, the patches address vulnerabilities that affect numerous Microsoft product segments including Windows, Office, Azure, .NET, Visual Studio, SQL Server and Windows Hyper-V.

“This release is another huge bunch of fixes from Redmond, just shy of the record 147 CVEs from back in April this year,” Childs wrote in the post.

Two of the vulnerabilities have been singled out as having seen exploitation — a Hyper-V privilege escalation flaw (tracked at CVE-2024-38080) and a Windows spoofing bug (tracked at CVE-2024-38112). Both vulnerabilities have received a severity rating that is shy of the “critical” threshold, Microsoft said.

Critical-Severity Bugs

The five bugs rated as “critical” in severity are all remote code execution vulnerabilities, three of which impact Windows Remote Desktop (CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077), according to Microsoft.

The remaining new critical vulnerabilities disclosed Tuesday affect Windows (CVE-2024-38060) and SharePoint (CVE-2024-38023), Microsoft said.

Childs noted that some of the newly disclosed vulnerabilities, including the critical Windows flaw (CVE-2024-38060), should be prioritized for expedited patching deployment.

“This [Windows] bug does require the attacker to be authenticated, but any authenticated user could abuse it,” he wrote in the post. “There are no workarounds either, so test and deploy the patch quickly.”

The large number of code execution vulnerabilities in the monthly patch release is also notable, according to Childs.

“There are a total of 59 code execution bugs in this release, which is more CVEs than the entire June release,” he wrote, though he added that 38 of the flaws “are related to SQL Server and require a user to connect to a malicious SQL server database.”

“That does seem unlikely, but it could be used as a post-exploitation technique for lateral movement,” Childs wrote.