Busy Microsoft Patch Tuesday Fixes Six Actively Exploited Zero Days
Nine critical flaws were also patched.
Microsoft's August Patch Tuesday features fixes for 90 flaws, with six of them actively exploited.
These include elevation of privileges (EoP), remote code execution (RCE) and information disclosure vulnerabilities.
Actively Exploited Zero Days
The actively exploited zero-day vulnerabilities are as follows.
CVE-2024-38178 (CVSS severity score 7.5 out of 10) is a scripting engine memory corruption flaw that allows an attacker to initiate RCE. It requires the user to click a link in Microsoft Edge in Internet Explorer mode. Internet Explorer Mode is used for old websites or applications built specifically for Internet Explorer and not supported by modern browsers.
"While this is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration," said Kev Breen, senior director of threat research at Immersive Labs.
Chris Goettl, VP of security product management at Ivanti, said: "The attacker would need to prepare the target so that it would use Edge in Internet Explorer Mode to execute a specially crafted file. Risk-based guidance would treat this update as a higher severity than Important and remediate as soon as possible."
CVE-2024-38193 (CVSS 7.8) is a privilege escalation glitch enabling an attacker to gain SYSTEM privileges on Windows systems by exploiting the Windows Ancillary Function Driver for WinSock. It affects Windows Server 2008 and later version. Microsoft's information on this bug is scant, but the attack has low complexity and requires no user interaction, making it a high-risk vulnerability.
Adam Barnett, lead software engineer at Rapid7, commented: "Successful exploitation is via a use-after-free memory management bug, and could lead to SYSTEM privileges. The advisory doesn't provide further clues, but with existing in-the-wild exploitation, low attack complexity, no user interaction, and low privileges required, this is one to patch immediately to keep malware at bay."
CVE-2024-38189 (CVSS 8.8) is an RCE flaw in Microsoft Project. It requires users to disable security features, such as blocking macros from running in Office files from the Internet and disabling VBA Macro Notification Settings. Attackers would then need to trick users into opening a malicious file. Users are advised to update Office installations.
"An attacker can create a malicious Office Project and send it to the victim either as an attachment, in an email, or as a link to a file hosted on a website," said Breen. "If a victim downloads and opens the attachment, the attacker is able to execute code on the target host. This is not dissimilar to many common phishing attacks where threat actors will name their weaponized documents to play on human social behaviors, socially engineering them into opening the file."
Goettl advised: "If you have limited control over the mitigating policy settings or have an open BYOD policy, then updating Office could be more urgent to reduce your exposure."
CVE-2024-38107 (CVSS 7.8) is another privilege escalation bug, allowing an attacker to gain SYSTEM privileges by exploiting the Windows Power Dependency Coordinator.
"This vulnerability requires no user interaction, has low attack complexity and requires low privileges. Patch all your Windows assets sooner rather than later," advised Barnett.
A third EoP zero day is CVE-2024-38106 (CVSS 7.0) which requires the attacker to win a race condition in Windows Kernel. Again, Microsoft's advisory provides little detail, but it affects Windows 10 and later editions. "Exploits have been detected in the wild," said Goettl, adding that it is one to remediate as soon as possible.
CVE-2024-38213 (CVSS 6.5) enables a threat actor to evade the "Mark of the Web" security feature in Windows, which is designed to warn users about files downloaded from the Internet, marking them as untrusted. It is not exploitable on its own but could be used as part of an exploit chain.
This bug "likely offers less utility to attackers than a broadly similar SmartScreen bypass published in February 2024, since unlike today's offering, the advisory for CVE-2024-21351 also described the potential for code injection into SmartScreen itself," commented Barnett. "The lower CVSSv3 base score for CVE-2024-21351 reflects that difference."
Other Zero Days
In addition to the six actively exploited flaws, Microsoft's August update patches three publicly disclosed zero-day vulnerabilities (CVE-2024-21302, CVE-2024-38202, CVE-2024-38199).
A tenth publicly disclosed zero-day bug, a Microsoft Office spoofing vulnerability (CVE-2024-38200, CVSS 6.5) has not yet been patched.
"An attacker could leverage this vulnerability [CVE-2024-38200] by enticing a victim to access a specially crafted file, likely via a phishing email," said Scott Caveza, staff research engineer at Tenable, adding that it could be used to exposing New Technology Lan Manager (NTLM) hashes to the attacker.
"NTLM relay attacks have been observed by a Russian-based threat actor, APT28, who leveraged a similar vulnerability to carry out attacks – CVE-2023-23397, an EoP vulnerability in Microsoft Outlook patched in March 2023."
Nine Critical Vulnerabilities
A total of nine vulnerabilities classed as "critical" were fixed in this update, including CVE-2024-38063 (CVSS 9.8) a Windows TCP/IP RCE, allowing an unauthenticated attacker to send IPv6 packets, including specially crafted packets, to a Windows machine, which can lead to remote code execution. "This is rated as critical, so should be patched as soon as possible," said Diksha Ohja, technical content developer at Qualys.
CVE-2024-38109 (CVSS 9.1) is a critical severity EoP vulnerability affecting Azure Health Bot. Another, a hub spoofing vulnerability (CVE-2024-38108, CVSS 9.3), occurs in the Azure Stack.
Meanwhile, CVE-2024-38206 (CVSS 8.5) is a critical information disclosure vulnerability affecting Microsoft's Copilot Studio. "This vulnerability can be abused by an authenticated attacker to bypass server-side request forgery (SSRF) protections in order to leak potentially sensitive information," said Caveza.
This article originally appeared on our sister site, Computing.