Aug 14, 2024Ravie LakshmananWindows Security / Vulnerability
On a recent Tuesday, Microsoft unveiled a significant update addressing a total of 90 security vulnerabilities, including 10 zero-day flaws, six of which are currently being exploited in the wild. Among these vulnerabilities, nine have been classified as Critical, while the majority, 80, are deemed Important, with one rated as Moderate. This release follows the resolution of 36 vulnerabilities in the Edge browser just last month.
Details of the Vulnerabilities
The Patch Tuesday updates are particularly noteworthy for their focus on six actively exploited zero-days:
- CVE-2024-38189 (CVSS score: 8.8) – Microsoft Project Remote Code Execution Vulnerability
- CVE-2024-38178 (CVSS score: 7.5) – Windows Scripting Engine Memory Corruption Vulnerability
- CVE-2024-38193 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2024-38106 (CVSS score: 7.0) – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2024-38107 (CVSS score: 7.8) – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
- CVE-2024-38213 (CVSS score: 6.5) – Windows Mark of the Web Security Feature Bypass Vulnerability
Among these, CVE-2024-38213 stands out as it allows attackers to bypass SmartScreen protections. This vulnerability requires an attacker to send a malicious file to the user and persuade them to open it. The flaw was discovered and reported by Peter Girnus from Trend Micro, and it may serve as a bypass for previously exploited vulnerabilities linked to DarkGate malware operators.
In light of these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies implement the necessary fixes by September 3, 2024.
Publicly Known Vulnerabilities
Four of the vulnerabilities are publicly known:
- CVE-2024-38200 (CVSS score: 7.5) – Microsoft Office Spoofing Vulnerability
- CVE-2024-38199 (CVSS score: 9.8) – Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
- CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
- CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
Scott Caveza, a staff research engineer at Tenable, highlighted the risks associated with CVE-2024-38200, noting that attackers could exploit this vulnerability by enticing victims to open specially crafted files, often delivered through phishing emails. The consequences could lead to the exposure of New Technology Lan Manager (NTLM) hashes, which could be misused in further attacks.
The updates also tackle a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), allowing an attacker to gain SYSTEM privileges, although successful exploitation requires navigating a race condition.
However, Microsoft has yet to provide updates for CVE-2024-38202 and CVE-2024-21302, which pose risks of downgrade attacks against the Windows update architecture, potentially allowing the replacement of current operating system files with older versions.
Additionally, a report from Fortra has brought attention to a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8), which could lead to system crashes and the infamous Blue Screen of Death (BSoD).
In response to inquiries, a Microsoft spokesperson indicated that the DoS issue “does not meet the bar for immediate servicing under our severity classification guidelines,” but it will be considered for future product updates. The spokesperson emphasized that the described technique necessitates prior code execution capabilities on the target machine, without granting elevated permissions, and encouraged users to maintain prudent online computing habits.
Software Patches from Other Vendors
Alongside Microsoft, various other vendors have rolled out security updates over the past few weeks to address multiple vulnerabilities, reinforcing the importance of vigilance in cybersecurity.