Attackers are currently taking advantage of a significant number of vulnerabilities disclosed by Microsoft in its August security update, with as many as six out of 90 vulnerabilities becoming a primary concern for system administrators this Patch Tuesday. Among these, four Common Vulnerabilities and Exposures (CVEs) were already known prior to the August 13 announcement, categorizing them as zero-days, albeit without active exploitation at this time. Notably, an elevation of privilege (EoP) vulnerability in the Windows Update Stack, identified as CVE-2024-38202, stands out due to the absence of a patch from Microsoft.
Unpatched Zero-Day
This unpatched vulnerability permits an attacker with basic user privileges to potentially reintroduce previously mitigated vulnerabilities or bypass certain features of Virtualization Based Security (VBS). Microsoft has classified this flaw as moderately severe, as it necessitates tricking an administrator or a user with delegated permissions into performing a system restore. However, Scott Caveza, a staff research engineer at Tenable, warns that if an attacker were to combine CVE-2024-38202 with CVE-2024-21302, another EoP flaw affecting Windows Secure Kernel, they could roll back software updates without needing any interaction from a privileged user. Caveza notes that while each vulnerability can be exploited independently, their combination could lead to more severe consequences.
In total, seven vulnerabilities disclosed in this update have been rated as critical. The remaining 79 CVEs, including those under active exploitation, have been deemed “Important” or of medium severity, primarily due to the requirement for some level of user interaction for exploitation. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), remarked on the unusual nature of having so many vulnerabilities publicly known or actively attacked in a single release.
Zero-Days Under Active Exploit
Among the vulnerabilities currently under active attack, two facilitate remote code execution (RCE) on affected systems. One of these, CVE-2024-38189, affects Microsoft Project Remote Code and poses a risk to organizations that have disabled the VBA Macro Notification Settings. In such cases, an attacker could execute arbitrary code remotely by persuading a user to open a malicious Microsoft Office Project file. Childs expressed surprise at the presence of a code execution vulnerability in Project, especially given its active exploitation.
The second zero-day RCE vulnerability, CVE-2024-38178, involves a memory corruption issue in the Windows Scripting Engine Memory or Script Host. Successful exploitation requires the target to operate in Edge’s Internet Explorer Mode, necessitating user interaction with a specially crafted URL. Kev Breen, senior director of threat research at Immersive Labs, highlighted that while Internet Explorer Mode is not the default for most users, its active exploitation indicates that certain organizations still rely on this configuration for legacy applications.
Three additional zero-days being actively exploited—CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193—enable attackers to elevate privileges to system admin status. Among these, CVE-2024-38106 is particularly concerning due to its presence in the Windows Kernel, where a race condition combined with improper memory handling could expose sensitive data. The other two vulnerabilities, affecting Windows Power Dependency and the Windows Ancillary Function Driver for WinSock, also allow for the attainment of system-level privileges. Breen noted that an attacker would need to have previously executed code on the victim’s machine to exploit these flaws.