Microsoft on Tuesday sent patches to address the total number 90 security flawsincluding 10 zero days, six of which were actively exploited in the wild.
Of the 90 bugs, seven were rated Critical, 79 were rated Important, and one was rated Medium. This is also in addition to 36 vulnerabilities that the tech giant has decided on its Edge browser since last month.
Patch Tuesday’s updates are notable for addressing six actively exploited zero-days –
- CVE-2024-38189 (CVSS Score: 8.8) – Microsoft Project remote code execution vulnerability
- CVE-2024-38178 (CVSS Score: 7.5) – A vulnerability in the Windows scripting system corrupts memory
- CVE-2024-38193 (CVSS Score: 7.8) – Windows Helper Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2024-38106 (CVSS Score: 7.0) – An elevation of privilege vulnerability in the Windows kernel
- CVE-2024-38107 (CVSS Score: 7.8) – Windows Dependency Coordinator Elevation of Privilege Vulnerability
- CVE-2024-38213 (CVSS Score: 6.5) – Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38213, which allows attackers to bypass SmartScreen protection, requires an attacker to send a malicious file to a user and convince them to open it. Peter Girnus of Trend Micro, who discovered and reported the flaw, suggested that it might be a workaround for CVE-2024-21412 or CVE-2023-36025which were previously used by DarkGate malware operators.
This development prompted the US Cybersecurity and Infrastructure Security Agency (CISA). to add deficiencies in its known vulnerabilities (KEV), which requires federal agencies to apply the fixes by September 3, 2024.
Four of the CVEs below are listed as known –
- CVE-2024-38200 (CVSS Score: 7.5) – Microsoft Office spoofing vulnerability
- CVE-2024-38199 (CVSS Score: 9.8) – Windows Line Printer Daemon (LPD) remote code execution vulnerability
- CVE-2024-21302 (CVSS Score: 6.7) – Elevation of privilege vulnerability in Windows kernel secure mode
- CVE-2024-38202 (CVSS Score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
“An attacker could exploit this vulnerability by tricking a victim into accessing a specially crafted file, possibly via a phishing email,” Scott Caveza, a staff research engineer at Tenable, said of CVE-2024-38200.
“Successful exploitation of the vulnerability could result in a victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes can be exploited by exploits in NTLM relay or hash-forwarding attacks to further infiltrate an attacker’s organization.”
The update also fixes an elevation of privilege flaw in the print spooler component (CVE-2024-38198CVSS score: 7.8) allowing an attacker to gain SYSTEM privileges. “Successful exploitation of this vulnerability requires an attacker to win a race,” Microsoft said.
However, Microsoft has not yet released an update for the CVE-2024-38202 and CVE-2024-21302which can be abused to perform attacks to downgrade the Windows Update architecture and replace current versions of operating system files with older versions.
Disclosure should a the report from Fortra about a Denial of Service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that can cause a system crash resulting in a blue screen of death (BSoD).
When reached for comment, a Microsoft representative told The Hacker News that the issue “does not qualify for immediate service according to our severity classification guidelines, and we will review it for the next product update.”
“The described technique requires the attacker to have already obtained code execution capabilities on the target machine and does not provide elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by users,” the spokesperson added.
Third-party software patches
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to address some vulnerabilities, including –
