Software giant Microsoft on Tuesday rolled a massive batch of updates to fix security flaws in the Windows ecosystem and warned that attackers are already exploiting a Windows Hyper-V privilege escalation bug in the wild.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in a barebones bulletin that marks the Hyper-V issue in the “exploitation detected” category.
The Windows Hyper-V vulnerability, tagged as CVE-2024-38080, was anonymously reported to Redmond’s security response center. It carries a CVSS severity score of 7.8/10.
Microsoft did not share any additional details on the observed attacks or any data or telemetry to help defenders hunt for signs of infection.
Separately, the company called urgent attention to a Windows MSHTML Platform spoofing vulnerability (CVE-2024-38112) that’s also marked as exploited in the wild.
“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. An attacker would have to send the victim a malicious file that the victim would have to execute,” Microsoft said.
The two exploited zero-days headline a massive batch of Patch Tuesday releases that includes fixes for more than 140 vulnerabilities across the Windows ecosystem. Of the 143 documented bugs, five are rated critical, Microsoft’s highest severity rating.
Security experts are urging Windows sysadmins to pay special attention to a critical remote code execution vulnerability — CVE-2024-38023 — in Microsoft Office SharePoint that’s likely to be exploited by attackers.
THe Office SharePoint flaw could allow an authenticated attacker with Site Owner permissions or higher to upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file’s parameters.
“This would enable the attacker to perform remote code execution in the context of the SharePoint Server,” Microsoft confirmed, noting that an authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.
The Microsoft patches also provide cover for critical-severity remote code execution flaws in Windows Imaging Component and Windows Desktop Remote Licensing.
Microsoft’s patches come on the same day software maker Adobe shipped critical-severity patches for security defects in the Adobe Premiere Pro, Adobe InDesign and Adobe Bridge product lines.
“Successful exploitation could lead to arbitrary code execution,” the company warned. The Adobe issues affect both Windows and macOS users.
Related: Microsoft’s Security Chickens Have Come Home to Roost
Related: BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol
Related: SAP Patches High-Severity Vulnerabilities in PDCE, Commerce