I have successfully navigated the challenges of Summer Hacker Camp, and I trust you have as well. As we transition back into our routines, we find ourselves at the onset of Patch Tuesday, coinciding with the release of new vulnerabilities. Microsoft and Adobe have unveiled their latest updates, inviting us to pause and delve into the intricacies of their security alerts.
Adobe Patches for August 2024
This month, Adobe has rolled out 11 security bulletins addressing a total of 71 CVEs across various applications, including Adobe Illustrator, Photoshop, InDesign, Acrobat and Reader, and more. Notably, 14 of these vulnerabilities were reported through the Zero Day Initiative (ZDI) program. Among the updates, the most significant pertains to Adobe Commerce, which addresses several critical code execution vulnerabilities. The patch for InDesign also rectifies multiple code execution issues, while the updates for Acrobat and Reader are particularly concerning due to the frequent use of maliciously crafted PDFs in ransomware attacks.
The updates for other applications include:
- Photoshop: Fixes a single critical-rated CVE that could lead to code execution.
- Substance 3D Stager: Addresses one critical-rated CVE.
- InCopy: Resolves a critical-rated vulnerability.
- Substance 3D Designer: Corrects one critical-rated CVE.
- Illustrator: Fixes seven bugs, primarily rated as Important.
- Dimension: Addresses three critical and three important vulnerabilities.
- Bridge: Three bugs reported by ZDI’s Mat Powell.
- Substance 3D Sampler: Fixes four bugs.
None of the vulnerabilities addressed by Adobe this month are currently known to be publicly exploited or under active attack, with the updates categorized as a deployment priority rating of 3.
Microsoft Patches for August 2024
Microsoft has released a substantial update this month, introducing 90 new CVEs across various platforms, including Windows, Office, .NET, Azure, and more. When accounting for third-party vulnerabilities, the total CVE count reaches 102. Among these, four vulnerabilities were reported through the ZDI program, with one noted as being under active exploitation.
The severity ratings for this release are as follows:
- Seven vulnerabilities rated as Critical
- 79 vulnerabilities rated as Important
- One vulnerability rated as Moderate
This month’s release is particularly noteworthy due to the number of vulnerabilities listed as publicly known or under active attack. Four CVEs are publicly known, while six others are actively exploited. Let’s explore some of the more critical updates:
- CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability: This vulnerability requires Edge to be in Internet Explorer mode, allowing code execution with a simple link click.
- CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: This privilege escalation bug enables attackers to execute code as SYSTEM, often paired with other vulnerabilities.
- CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability: Another privilege escalation vulnerability under active attack, leading to SYSTEM privileges.
- CVE-2024-38107 – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability: This bug exploits the Power Dependency Coordinator, a component introduced in Windows 8.
- CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability: A code execution vulnerability in Project that is being exploited, requiring specific conditions to be met.
For those interested in cybersecurity and staying ahead of potential threats, these updates from Microsoft and Adobe are critical. As always, timely application of patches remains one of the most effective strategies in maintaining robust security postures.
