News

10 Zero-Day Flaw Fixes Top Microsoft's Busy August Patch Tuesday

• By Chris Paoli
• 08/13/2024

Microsoft's monthly security update is here with 88 fixes spread across the company's products and services. What's noteworthy is the larger-than-usual number of fixes dealing with either publicly disclosed flaws or those actively being targeted by attackers at 10.

When prioritizing what to patch first (if automatic patching is not enabled in your org), the seven zero-day issues should take top priority. Microsoft has designated which items are being actively exploited and which are just publicly disclosed. Let's run down the exploited items first:

CVE-2024-38189:Deals with a rare remote code execution vulnerability in Microsoft Project. The attack relies on macros running from the Internet and requires the target to have disabled VBA Macro Notification Settings. Along with applying the fix, users are advised to re-enable these settings and take caution when opening Project files from untrusted sources.

CVE-2024-38178: This scripting engine corruption vulnerability in Windows is notable and a bit odd because it specifically affects users running Microsoft Edge in Internet Explorer mode. A single click on a malicious link can trigger code execution. Additionally, this patch addresses the same flaw in Windows 11 version 24H2, which is not yet widely available but is included on Copilot+ devices.

CVE-2024-38193:Affecting all supported Windows OS and Windows Server versions, this elevation of privilege flaw in the Windows Ancillary Function Driver for WinSock has allowed attackers to gain SYSTEM-level privileges. As with the previous entry, while not specifically listed in the affected product list (due to pending release), this will also be applied to the upcoming full release of Windows 11 version 24H2 and Copilot+ devices.

CVE-2024-38106:This privilege escalation flaw in the Windows kernel allows attackers to gain SYSTEM-level privileges. While Microsoft rates the exploit complexity as high due to the need to win a race condition, it has been seen in active exploitation in the wild, so the chances of success are far from impossible.

CVE-2024-38107:Attackers have found ways to exploit an elevation of privilege flaw in the Windows Power Dependency Coordinator, which governs how a system wakes from sleep. If exploited, attackers can elevate SYSTEM-level privileges.

CVE-2024-38213: The final active exploit fix for the month deals with a security bypass issue in Windows' Mark of the Web security feature. If a targeted user is tricked into opening a malicious file, Microsoft's SmartScreen anti-phishing tool could be bypassed, leading to follow-up attacks.

Once the exploited zero days are addressed, IT should move on to the four publicly disclosed issues, as what is only disclosed today could turn into active exploits tomorrow:

CVE-2024-38200:This spoofing vulnerability in Microsoft Office could allow attackers to use a victim's NTLM hash to authenticate as the victim via an authentication relay attack. Along with applying the released fix, Microsoft said IT can also configure the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to allow total control over NTLM traffic.

CVE-2024-38199:An unauthenticated attacker could exploit a hole in the Windows Line Printer Daemon (LPD) service by sending a specially crafted print task over the network. If successful, this could lead to remote code execution on the server.

CVE-2024-21302:Microsoft is alerting users of an elevation of privilege flaw in the Windows Secure Kernel that was discovered at last week's Black Hat security conference. This flaw, if successfully exploited, could force a system to be downgraded to an earlier version of Windows, allowing for older vulnerabilities to be exploited. While Microsoft has yet to release a final fix, it has outlined an opt-in revocation policy mitigation. More details can be found here.

CVE-2024-38202:As was with the previous item, this elevation of privilege flaw in the Windows Update Stack was discovered last week at the Black Hat security conference and is still lacking in a permanent fix. Until that fix is available, IT should configure "Audit Object Access" settings to track attempts to access files, including handle creation, read/write operations, and modifications to security descriptors.

Microsoft's August security update also includes the following seven bulletins rated "critical," which should be the next priority once the zero-day vulnerabilities have been taken care of. They include:

• CVE-2024-38109: An elevation of privilege vulnerability in the Azure Health Bot.
• CVE-2024-38206: An information disclosure vulnerability in Microsoft Copilot Studio.
• CVE-2024-38166: A cross-site scripting vulnerability in Microsoft Dynamics 365.
• CVE-2024-38159: A remote code execution vulnerability in Windows Network Virtualization.
• CVE-2024-38160: A remote code execution vulnerability in Windows Network Virtualization.
• CVE-2024-38140: A remote code execution vulnerability in the Windows Reliable Multicast Transport Driver.
• CVE-2024-38063: A remote code execution vulnerability in Windows TCP/IP.

A full list of this month's security bulletins can be found here.