On a recent Tuesday, Microsoft unveiled a significant update addressing a total of 90 security vulnerabilities, including 10 zero-day flaws, six of which are currently being exploited in the wild. Among these vulnerabilities, nine have been classified as Critical, while the majority, 80, are deemed Important, with one rated as Moderate. This release follows the resolution of 36 vulnerabilities in the Edge browser just last month.
Details of the Vulnerabilities
The Patch Tuesday updates are particularly noteworthy for their focus on six actively exploited zero-days:
- CVE-2024-38189 (CVSS score: 8.8) – Microsoft Project Remote Code Execution Vulnerability
- CVE-2024-38178 (CVSS score: 7.5) – Windows Scripting Engine Memory Corruption Vulnerability
- CVE-2024-38193 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2024-38106 (CVSS score: 7.0) – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2024-38107 (CVSS score: 7.8) – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
- CVE-2024-38213 (CVSS score: 6.5) – Windows Mark of the Web Security Feature Bypass Vulnerability
Among these, CVE-2024-38213 stands out as it allows attackers to bypass SmartScreen protections. This vulnerability requires an attacker to send a malicious file to the user and persuade them to open it. The flaw was discovered and reported by Peter Girnus from Trend Micro, and it may serve as a bypass for previously exploited vulnerabilities linked to DarkGate malware operators.
In light of these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies implement the necessary fixes by September 3, 2024.
Publicly Known Vulnerabilities
Four of the vulnerabilities are publicly known:
- CVE-2024-38200 (CVSS score: 7.5) – Microsoft Office Spoofing Vulnerability
- CVE-2024-38199 (CVSS score: 9.8) – Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
- CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
- CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
Scott Caveza, a staff research engineer at Tenable, highlighted the risks associated with CVE-2024-38200, noting that attackers could exploit this vulnerability by enticing victims to open specially crafted files, often delivered through phishing emails. The consequences could lead to the exposure of New Technology Lan Manager (NTLM) hashes, which could be misused in further attacks.
The updates also tackle a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), allowing an attacker to gain SYSTEM privileges, although successful exploitation requires navigating a race condition.
However, Microsoft has yet to provide updates for CVE-2024-38202 and CVE-2024-21302, which pose risks of downgrade attacks against the Windows update architecture, potentially allowing the replacement of current operating system files with older versions.
Additionally, a report from Fortra has brought attention to a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8).