Microsoft’s August 2024 Patch Tuesday has unveiled a significant update addressing 85 vulnerabilities, including six zero-day exploits currently under active attack. The vulnerabilities are categorized as CVE-2024-38213, CVE-2024-38193, CVE-2024-38189, CVE-2024-38178, CVE-2024-38107, and CVE-2024-38106. Among these, a notable fix addresses a vulnerability associated with a ‘downgrade’ attack (CVE-2024-21302). Of the total vulnerabilities, six are classified as Critical, while the remaining 79 fall under Important or Moderate severity ratings.
August 2024 Risk Analysis
This month’s vulnerabilities reveal a predominant risk type of elevation of privilege, accounting for 37%, closely followed by remote code execution at 35%, and information disclosure at 8%.
Windows products received the majority of patches this month, totaling 43, with the Extended Security Update (ESU) receiving 21 patches and Microsoft Office 8.
Actively Exploited Zero-Day Vulnerability in Microsoft Project
Among the updates, Microsoft Project has been patched for CVE-2024-38189, which carries an Important severity rating and a CVSS score of 8.8. This vulnerability permits remote code execution when a victim is tricked into clicking a link or opening a malicious file. Microsoft recommends that customers disable macros in Office products and enable notifications to enhance security.
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2024-38189 | Microsoft Project Remote Code Execution Vulnerability |
Table 1. Zero-day in Microsoft Project
Actively Exploited Zero-Day Vulnerabilities in Windows Ancillary Function Driver for WinSock
The Windows Ancillary Function Driver for WinSock has been updated to address CVE-2024-38193, rated Important with a CVSS score of 7.8. This vulnerability allows an attacker with low-level authentication to escalate privileges to SYSTEM level. This driver plays a crucial role in managing network functions, and such vulnerabilities are often exploited in conjunction with remote code execution vulnerabilities.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2024-38193 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Table 2. Zero-days in Windows Ancillary Function Driver for WinSock and Windows Power Dependency Coordinator
Actively Exploited Zero-Day Vulnerabilities in Windows Power Dependency Coordinator
Windows Power Dependency Coordinator has also been patched for CVE-2024-38107, classified as Important with a CVSS score of 7.8. This vulnerability allows an attacker with basic authentication to elevate their access to SYSTEM privileges, particularly affecting power state management functions. Similar to the previous vulnerabilities, details regarding exploitation methods remain undisclosed by Microsoft.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2024-38107 | Windows Power Dependency Coordinator Elevation of Privilege Vulnerability |
Table 3. Zero-days in Windows Ancillary Function Driver for WinSock and Windows Power Dependency Coordinator
Actively Exploited Zero-Day Vulnerability in Scripting Engine
The Scripting Engine has been patched for CVE-2024-38178, rated Important with a CVSS score of 7.5. This vulnerability necessitates an authenticated user to be operating Edge in Internet Explorer mode and clicking on a compromised URL, allowing an unauthenticated attacker to initiate remote code execution.
| Severity | CVSS Score | CVE | Description |
| Important | 7.5 | CVE-2024-38178 | Scripting Engine Memory Corruption Vulnerability |
Table 4. Zero-day in Scripting Engine
Actively Exploited Zero-Day Vulnerability in Windows Kernel
The Windows kernel has been patched for CVE-2024-38106, which is rated Important with a CVSS score of 7.0. This elevation of privilege vulnerability can lead to SYSTEM privileges and involves a complex attack requiring the exploitation of a race condition. Specific details about the vulnerability remain undisclosed by Microsoft.
| Severity | CVSS Score | CVE | Description |
| Important | 7.0 | CVE-2024-38106 | Windows Kernel Elevation of Privilege Vulnerability |
Table 5. Zero-day in the Windows kernel
Actively Exploited Zero-Day Vulnerability in Windows Mark of the Web Security
Windows Mark of the Web Security has been patched for CVE-2024-38213, rated Important with a CVSS score of 6.5. This vulnerability enables an attacker to bypass security warnings when downloading malicious files, posing a significant risk as it has been targeted multiple times in the past.
| Severity | CVSS Score | CVE | Description |
| Moderate | 6.5 | CVE-2024-38213 | Windows Mark of the Web Security Feature Bypass Vulnerability |
Table 6. Zero-day in Windows Mark of the Web Security
Critical Vulnerabilities in Windows Network Virtualization, TCP/IP, Reliable Multicast Transport Driver, Azure Health Bot and Secure Boot
Among the critical vulnerabilities, CVE-2024-38063 stands out as a Critical remote code execution vulnerability affecting Windows TCP/IP, with a CVSS score of 9.8. Successful exploitation allows remote code execution, and Microsoft recommends disabling IPv6 to mitigate risks associated with this vulnerability.
Additionally, CVE-2024-38140, also rated Critical with a CVSS score of 9.8, affects the Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability is exploitable only if a program is actively listening on a Pragmatic General Multicast (PGM) port.
Furthermore, CVE-2024-38109, with a CVSS score of 9.1, poses an elevation of privilege risk affecting Azure Health Bot, enabling attackers to access Azure’s internal metadata service through server-side request forgery.
Two other critical vulnerabilities, CVE-2024-38159 and CVE-2024-38160, both with a CVSS score of 9.1, affect Windows Network Virtualization, allowing attackers to interact with other tenants’ applications.
Lastly, CVE-2023-40547, rated Critical with a CVSS score of 8.8, impacts Secure Boot, which is designed to prevent unauthorized code execution during the boot process.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2024-38063 | Windows TCP/IP Remote Code Execution Vulnerability |
| Critical | 9.8 | CVE-2024-38140 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
| Critical | 9.1 | CVE-2024-38109 | Azure Health Bot Elevation of Privilege Vulnerability |
| Critical | 9.1 | CVE-2024-38159 | Windows Network Virtualization Remote Code Execution Vulnerability |
| Critical | 9.1 | CVE-2024-38160 | Windows Network Virtualization Remote Code Execution Vulnerability |
| Critical | 8.8 | CVE-2023-40547 | Redhat: CVE-2023-40547 Shim – RCE in HTTP boot support may lead to secure boot bypass |
Table 7. Critical vulnerabilities in Windows and Azure
Vulnerabilities with Existing Proof of Concept in Windows Line Printer Daemon (LPD) Service, Windows Update Stack and Windows Secure Kernel Mode
CVE-2024-38199 is an Important remote code execution vulnerability affecting the Windows Line Printer Daemon (LPD), with a CVSS score of 9.8. An unauthenticated attacker could exploit this vulnerability by sending crafted print tasks to a vulnerable LPD service. Fortunately, LPD has been deprecated since Windows Server 2012 and is not enabled by default.
Another vulnerability, CVE-2024-38202, is an Important elevation of privilege vulnerability affecting the Windows Update Stack, with a CVSS score of 7.3. This vulnerability could allow an attacker with basic privileges to reintroduce previously patched vulnerabilities.
Moreover, CVE-2024-21302 is an Important elevation of privilege vulnerability in Windows Secure Kernel Mode, rated with a CVSS score of 6.7. This vulnerability could enable an attacker to replace current system files with outdated versions. Microsoft has released an advisory with recommended actions to mitigate risks until a patch is available.
| Severity | CVSS Score | CVE | Description |
| Important | 9.8 | CVE-2024-38199 | Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability |
| Important | 7.3 | CVE-2024-38202 | Windows Update Stack Elevation of Privilege Vulnerability |
| Important | 6.7 | CVE-2024-21302 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
Table 8. Vulnerabilities with existing proof of concept available in .NET, Visual Studio and ARM-based operating systems
Patch Tuesday Dashboard in the Falcon Platform
For those seeking a visual representation of the systems impacted by this month’s vulnerabilities, the newly available Patch Tuesday dashboard in the Falcon platform offers a comprehensive overview. Users can find it within the Exposure Management > Vulnerability Management > Dashboards page, showcasing the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As history has shown with notable vulnerabilities like Log4j, not every highly exploitable vulnerability can be swiftly patched. In light of the ProxyNotShell vulnerabilities, it is crucial to formulate a response plan to defend environments when patching is not feasible. Regularly reviewing patching strategies should remain integral to cybersecurity programs, while also adopting a holistic approach to enhance overall security posture.
The CrowdStrike Falcon® platform continuously gathers and analyzes trillions of endpoint events daily from millions of sensors across 176 countries. Experience the Falcon platform in action through our demo.
Learn More
Discover how CrowdStrike Falcon® Exposure Management can assist you in swiftly identifying and prioritizing vulnerabilities and other exposures.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) serves as a free and open industry standard utilized by CrowdStrike and various cybersecurity organizations to evaluate and communicate the severity and characteristics of software vulnerabilities. The CVSS Base Score ranges from 0.0 to 10.0, with the National Vulnerability Database (NVD) providing additional severity ratings for CVSS scores.
Additional Resources
- For more information on Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- Explore how Falcon Exposure Management can help you discover and manage vulnerabilities and exposures in your environments.
- Learn about CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, which identifies unknown, exposed, and vulnerable internet-facing assets, empowering security teams to thwart adversaries.
- Streamline prioritization with CrowdStrike Falcon® Spotlight, enabling IT staff to enhance visibility through custom filters and team dashboards.
- Try CrowdStrike next-gen antivirus with a free trial of CrowdStrike® Falcon Prevent™.
