Microsoft has rolled out its August 2024 Patch Tuesday updates, addressing a total of 89 security vulnerabilities across its software ecosystem. This month's updates are particularly significant, as they include fixes for six actively exploited zero-day vulnerabilities and three others that had been publicly disclosed. Notably, Microsoft is still in the process of developing a patch for a tenth zero-day vulnerability that has been publicly disclosed.
Breakdown of Vulnerabilities
The August 2024 updates tackle a range of critical security flaws. Among the 89 vulnerabilities patched, eight are classified as critical, including issues related to elevation of privileges, remote code execution, and information disclosure. Here's a summary of the vulnerability categories addressed:
• 36 Elevation of Privilege Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 28 Remote Code Execution Vulnerabilities
• 8 Information Disclosure Vulnerabilities
• 6 Denial of Service Vulnerabilities
• 7 Spoofing Vulnerabilities
It's important to note that these figures do not include vulnerabilities specific to Microsoft Edge, which were disclosed earlier in the month.
Zero-Day Vulnerabilities in Focus
This Patch Tuesday is particularly notable for the attention given to zero-day vulnerabilities. Six of these have been actively exploited, while three others were publicly disclosed before a patch was made available. Unfortunately, one publicly disclosed zero-day remains unpatched, though Microsoft is actively working on a fix.
Microsoft categorises a zero-day vulnerability as one that has been publicly disclosed or actively exploited without an available official fix. The actively exploited zero-day vulnerabilities patched this month include:
• CVE-2024-38178 - Scripting Engine Memory Corruption Vulnerability
This flaw, which requires an authenticated user to click a link in Microsoft Edge (using Internet Explorer mode), can lead to remote code execution. Despite the complex exploitation process, the South Korean National Cyber Security Center (NCSC) and AhnLab have confirmed its use in real-world attacks.
• CVE-2024-38193 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Discovered by researchers Luigino Camastra and Milánek with Gen Digital, this vulnerability enables attackers to gain SYSTEM privileges on Windows systems. Details of its disclosure remain undisclosed by Microsoft.
• CVE-2024-38213 - Windows Mark of the Web Security Feature Bypass Vulnerability
This flaw allows attackers to bypass Windows Mark of the Web security alerts, a target often used in phishing campaigns. Peter Girnus of Trend Micro's Zero Day Initiative discovered the vulnerability, though specific exploitation details have not been shared.
• CVE-2024-38106 - Windows Kernel Elevation of Privilege Vulnerability
This vulnerability requires an attacker to win a race condition to gain SYSTEM privileges. Microsoft has not disclosed the source of the discovery or the methods of exploitation.
• CVE-2024-38107 - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
Like the previous vulnerability, this flaw also grants SYSTEM privileges. Microsoft has not released details about its disclosure or exploitation.
• CVE-2024-38189 - Microsoft Project Remote Code Execution Vulnerability
This remote code execution vulnerability in Microsoft Project requires security features to be disabled for exploitation. Attackers need to trick users into opening a malicious file, typically through phishing campaigns. The details of its discovery remain under wraps.
Publicly Disclosed Vulnerabilities
In addition to the actively exploited zero-days, three publicly disclosed vulnerabilities have been patched this month:
• CVE-2024-38199 - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
This vulnerability allows an unauthenticated attacker to execute code remotely by sending a specially crafted print task to a vulnerable LPD service. The identity of the person who disclosed this flaw remains anonymous.
• CVE-2024-21302 - Windows Secure Kernel Mode Elevation of Privilege Vulnerability
Disclosed during a Black Hat 2024 talk by SafeBreach security researcher Alon Leviev, this vulnerability allows attackers to gain elevated privileges by downgrading fully updated Windows systems to reintroduce old vulnerabilities.
• CVE-2024-38200 - Microsoft Office Spoofing Vulnerability
Disclosed at Defcon, this vulnerability allows attackers to expose NTLM hashes by tricking users into opening a malicious file. The flaw was discovered by Jim Rush with PrivSec and was fixed via a Microsoft Office Feature update in late July 2024.
Ongoing Developments and Other Vendor Updates
While Microsoft has made significant strides with its August 2024 updates, the cyber security landscape continues to evolve. Several other vendors have released their own advisories this month, including:
• A zero-day vulnerability that allows malicious websites to bypass browser security features and access local network services.
• Android's August security updates addressing actively exploited remote code execution flaws.
• CISA's warning about the abuse of Cisco's Smart Install feature in attacks.
• Cisco's alert regarding critical remote code execution vulnerabilities in end-of-life Small Business IP phones.
• A new "GhostWrite" vulnerability affecting T-Head XuanTie RISC-V CPUs.
• Ivanti's updates for a critical authentication bypass with a public exploit.
• Microsoft’s warning about a new Office flaw, CVE-2024-38200, that leaks NTLM hashes.
To explore the full list of vulnerabilities resolved in the August 2024 Patch Tuesday updates, you can access the comprehensive report here.
