Microsoft tackled six zero-day vulnerabilities that were actively exploited on August Patch Tuesday, addressing a total of 83 new CVEs in its software products. In addition, 12 non-Microsoft CVEs were republished on this Patch Tuesday, with seven previously released vulnerabilities also receiving updates. The majority of the vulnerabilities target the Windows operating system, making it easier for administrators to prioritize their patching efforts.
According to Chris Goettl, vice president of security product management at Ivanti, the Windows OS is the focal point for five of the six zero-day vulnerabilities, as well as one of the two public disclosures. This means that by ensuring the OS and Microsoft Office updates are applied, organizations can significantly reduce their risk exposure in one fell swoop.
The first zero-day vulnerability identified is a remote-code execution flaw in Microsoft Project (CVE-2024-38189), rated as important with a CVSS score of 8.8. This vulnerability impacts all editions of Microsoft Office and requires the user to open a malicious Project file with certain Office macro protections disabled to allow for remote code execution.
The next zero-day vulnerability is an elevation-of-privilege bug in Windows Power Dependency Coordinator (CVE-2024-38107), rated as important with a CVSS score of 7.8. This vulnerability affects all currently supported versions of Windows Server and desktop systems, relying on user interaction to click on a specially crafted URL to exploit the flaw.
Another zero-day vulnerability targets the Windows Kernel (CVE-2024-38106), rated as important with a CVSS ranking of 7.0. This elevation-of-privilege vulnerability impacts various versions of Windows Server and desktops, requiring the threat actor to exploit a race condition to gain system privileges or complete control of the affected device.
A moderate-rated zero-day vulnerability, affecting the Windows Mark-of-the-Web (MOTW) security feature (CVE-2024-38213), allows attackers to bypass the built-in security capabilities of SmartScreen by convincing users to open a malicious file. Although the severity is moderate, the existence of active attacks in the wild emphasizes the importance of addressing this vulnerability promptly.
The list of zero-day vulnerabilities also includes a Windows Ancillary Function Driver for WinSock elevation-of-privilege flaw (CVE-2024-38193) and a Scripting Engine memory corruption vulnerability (CVE-2024-38178), both rated as important by Microsoft.
In addition to these zero-day vulnerabilities, admins will need to address an elevation-of-privilege flaw in the Windows Update Stack (CVE-2024-38202), which was highlighted at the recent Black Hat conference. This vulnerability, with a CVSS rating of 7.3, poses a risk to Windows Server and desktop systems by potentially enabling attackers to exploit previously mitigated vulnerabilities or bypass virtualization-based security.
Another publicly disclosed vulnerability from the Black Hat conference impacts Windows Secure Kernel Mode (CVE-2024-21302), also rated as important by Microsoft. This bug, with a CVSS rating of 6.7, affects Windows systems with virtualization-based security and some Azure VMs, potentially allowing attackers to replace system files to reintroduce vulnerabilities and bypass VBS.
To mitigate these risks, administrators are advised to subscribe to Security Update Guide notifications, follow recommended actions for protection, and consider mitigation strategies provided by Microsoft to reduce exploitation risks. By promptly addressing these vulnerabilities and applying the necessary updates, organizations can strengthen their security posture and protect their systems from potential exploitation.