On Tuesday, Microsoft released remedies for an array of 90 security vulnerabilities, encompassing 10 zero-day flaws, six of which are actively being exploited in real-world scenarios.
Out of the 90 vulnerabilities, nine have been classified as Critical, 80 as Important, and a single one as Moderate in severity. Additionally, the tech titan addressed 36 other vulnerabilities in its Edge browser over the past month.
This Patch Tuesday is particularly noteworthy for resolving six zero-day vulnerabilities under active exploitation:
- CVE-2024-38189 (CVSS score: 8.8) – A remote code execution vulnerability in Microsoft Project.
- CVE-2024-38178 (CVSS score: 7.5) – A memory corruption flaw in the Windows Scripting Engine.
- CVE-2024-38193 (CVSS score: 7.8) – An elevation of privilege issue in the Windows Ancillary Function Driver for WinSock.
- CVE-2024-38106 (CVSS score: 7.0) – An elevation of privilege vulnerability within the Windows Kernel.
- CVE-2024-38107 (CVSS score: 7.8) – An elevation of privilege vulnerability in the Windows Power Dependency Coordinator.
- CVE-2024-38213 (CVSS score: 6.5) – A security feature bypass in Windows Mark of the Web.
The CVE-2024-38213 vulnerability, which facilitates the circumvention of SmartScreen protections, requires an attacker to send a nefarious file and persuade the user to open it. The vulnerability was uncovered by Trend Micro’s Peter Girnus, hinting at a potential bypass of previously exploited vulnerabilities CVE-2024-21412 or CVE-2023-36025, both linked to DarkGate malware operations.
This development has spurred the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to incorporate these flaws into its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement the patches by September 3, 2024.
Four of the CVEs are publicly acknowledged:
- CVE-2024-38200 (CVSS score: 7.5) – A spoofing vulnerability in Microsoft Office.
- CVE-2024-38199 (CVSS score: 9.8) – A remote code execution flaw in the Windows Line Printer Daemon (LPD) Service.
- CVE-2024-21302 (CVSS score: 6.7) – An elevation of privilege vulnerability in Windows Secure Kernel Mode.
- CVE-2024-38202 (CVSS score: 7.3) – An elevation of privilege flaw in the Windows Update Stack.
Regarding CVE-2024-38200, Scott Caveza, a staff research engineer at Tenable, noted, “An attacker could exploit this vulnerability by luring a victim to interact with a specially crafted file, likely through a phishing email. A successful attack could lead to the exposure of New Technology Lan Manager (NTLM) hashes, which could then be leveraged in NTLM relay or pass-the-hash attacks to deepen the attacker’s infiltration into an organization.”
The update also resolves a privilege escalation vulnerability in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), enabling an attacker to attain SYSTEM privileges. Microsoft highlighted that “successful exploitation of this vulnerability requires the attacker to win a race condition.”
However, Microsoft has not yet released patches for CVE-2024-38202 and CVE-2024-21302, which could be exploited to execute downgrade attacks against the Windows update architecture, replacing current operating system files with older versions.
This disclosure comes on the heels of a report by Fortra regarding a denial-of-service (DoS) vulnerability in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8), which could result in a system crash, culminating in a Blue Screen of Death (BSoD).
When approached for comment, a Microsoft spokesperson stated that the issue “does not meet the threshold for immediate remediation under our severity classification guidelines and will be considered for a future product update.”
“The technique described necessitates the attacker already having gained code execution capabilities on the target machine and does not confer elevated permissions. We urge customers to maintain vigilant computing practices online, including caution when executing unrecognized programs,” the spokesperson added.