Summary & Key Takeaways
On July 9, Check Point published research detailing a high-severity remote code execution vulnerability (CVE-2024-38112) affecting Microsoft Windows clients and several versions of Windows Server.
CISA subsequently added it to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. CISA’s alert included a mandate that all affected Windows systems at federal agencies be updated or shut down by July 30, 2024.
As some exploits for this vulnerability are nearly one year old, private organizations must act quickly given the severity. Fortunately, Microsoft issued a patch on July 9 as part of its monthly Patch Tuesday.
Unfortunately, a significant percentage of Windows devices are fully exposed and at risk of being taken over by attackers. Specifically, based on Sevco Security analysis of data aggregated from visibility into over 500,000 endpoints running Windows 10 and Windows 11:
- More than 10% of devices are missing endpoint protection controls
- Nearly 9% are missing patch management controls
This means that CISOs and IT organizations are completely blind to tens of thousands of doors and windows (so to speak) wide open for attackers to breach networks and access crown jewel data.
Details
On July 9, 2024, Microsoft patched CVE-2024-38112, which it officially labeled as a “Windows MSHTML Platform Spoofing Vulnerability.”
The CheckPoint research team that discovered the vulnerability included the following warning in its research report:
“attackers are using special Windows Internet Shortcut files, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”
Microsoft’s alert details that patches were issued for 32 versions of Windows clients and servers affected, primarily Windows 10 and Windows 11 as well as Windows Server 2019 and Windows Server 2022. Several older versions of Windows Server are also affected (Windows Server 2012 and 2008).
On the same day that Microsoft issued its patches, the Cybersecurity Infrastructure & Security Administration (CISA) published an alert that it added CVE-2024-38112 to its Known Vulnerability Catalog (KEV). The immediacy of the KEV alert and 21-day deadline for federal agencies to patch systems suggests that it has been actively exploited for a long period – nearly a year according to Check Point.
As a result, Sevco Security recommends that security and IT teams prioritize remediation of CVE-2024-38112 by patching affected systems immediately. Relying solely on patch management or configuration management tools to do so, however, will not completely mitigate the threat of exposure for organizations. The reason is that most organizations have sizable blind spots across their attack surface.
Over the past several years, Sevco Security has issued its semi-annual State of the Cybersecurity Attack Surface report, which examines how enterprises are struggling to get visibility into their IT assets.
Throughout enterprise environments, IT assets are missing critical controls such as endpoint protection and patch management, creating environmental vulnerabilities that leave paths to data exposed, and companies susceptible to malicious actors. Our latest report found that 28% of all IT assets are missing at least one critical control.
Zooming in on the specific part of the attack surface at risk because of CVE-2024-38112 – affected versions of Windows clients and servers – based on an analysis of more than 500,000 client devices, Sevco Security found that:
- More than 10% of Windows 10 and Windows 11 devices are missing endpoint protection controls
- Nearly 9% of Windows 10 and Windows 11 devices are missing patch management controls
Among the more than 140,000 Windows Servers affected by the vulnerability:
- Nearly 9% of affected Windows Servers are missing endpoint protection controls
- Nearly 19% of affected Windows Servers are missing patch management controls
When IT assets are missing endpoint security, malicious actors have a direct path to their networks. Devices and servers that are uncovered by endpoint protection solutions create a more dire threat because they aren’t being scanned for CVEs. And devices and servers missing from patch management tools may have CVEs on them, but they aren’t getting patched, leaving them open to exploitation by bad actors. Most enterprises are highly proficient at patching known IT assets, but it’s the unpatched, hidden or unknown assets that introduce the highest level of risk.
How Sevco Can Help
The findings in this report demonstrate that organizations have limited visibility into cyber asset attack surfaces, which upends the foundation of every major security framework and presents a challenge to security teams: they can’t protect what they can’t see.
Maintaining accuracy in a dynamic environment is a challenge, and enterprises are struggling to track changes over time. To truly understand your attack surface, you must be able to centralize known and surface previously unknown vulnerabilities in one place, prioritize the most critical issues across the environment, automate the remediation to fix priority issues, and validate that remediation efforts are actually completed.