Microsoft, Google, Mozilla and Adobe all have releases on the July 9, 2024, Patch Tuesday. Microsoft resolved 142 CVEs across five products, Mozilla resolved 16 CVEs in Firefox and Adobe resolved seven CVEs across three updates. Google Chrome is expected to release on or just after Patch Tuesday as well.

Microsoft is reporting two known exploited and two publicly disclosed vulnerabilities. The known exploited vulnerabilities are both in the Windows OS along with one of the two disclosures. The other disclosure affects .Net and Visual Studio.

Microsoft updates

  • Microsoft has resolved a spoofing vulnerability in Windows MSHTML Platform (CVE-2024-38112) that could allow an attacker to send a malicious file to a user to be executed across the network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. The Microsoft severity is rated as Important and has CVSS 3.1 of 7.5.
  • Microsoft has resolved an Elevation of Privilege vulnerability in Windows Hyper-V (CVE-2024-38080) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects Windows 11 and Server 2022 and has been exploited in the wild. The Microsoft severity is rated as Important and has CVSS 3.1 of 7.8.
  • Microsoft has resolved an Information Disclosure vulnerability on Windows 11 ARM64-based systems (CVE-2024-37985) that could allow an attacker to view heap memory from a privileged process. The vulnerability has been publicly disclosed, but no code samples were made available as part of this disclosure. The Microsoft severity is rated as Important and has CVSS 3.1 of 5.9.
  • Microsoft has resolved a Remote Code Execution vulnerability in .Net and Visual Studio (CVE-2024-35264). The vulnerability affects Visual Studio 2022 and .Net 8.0. The vulnerability has been publicly disclosed, but no code samples were made available as part of this disclosure. To exploit the vulnerability, an attacker would be required to win a race condition, making exploitation more difficult. The Microsoft severity is rated as Important and has CVSS 3.1 of 8.1.

Third-party updates

  • Adobe released updates for Premiere Pro, InDesign and Bridge, resolving seven CVEs. There are critical CVEs included in all three updates, but Adobe has set all to Priority 3.
  • Mozilla Firefox and Firefox ESR updates have been released. Firefox 128 resolved 16 CVEs and ESR resolved five CVEs. Mozilla has set the severity for Firefox to High and Firefox ESR to Moderate.
  • Oracle’s Quarterly CPU is scheduled for July 16, 2024. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Patch Tuesday priorities

  • The Windows OS updates are the priority this month. This will resolve both zero-day vulnerabilities (CVE-2024-38112 and CVE-2024-38080) and one of the two publicly disclosed vulnerabilities (CVE-2024-37985).
  • Browser updates release frequently and resolve a lot of user-targeted vulnerabilities. Edge, Firefox and Chrome updates should be a continuous priority for every organization. Google releases security updates every week, which means Edge updates weekly as well. Firefox gets two to three updates per month on average.
  • Microsoft SQL Server had 39 unique CVEs this month. While the update is not rated as Critical and no exploits or disclosures affected SQL Server, this is a large number of CVEs. It would be good to get this one resolved as part of your monthly maintenance.
  • Be ready to update Java and other Oracle solutions after the July 16 CPU.