Microsoft’s recent security update for August has uncovered a series of vulnerabilities actively exploited by attackers, prompting a call to action for administrators on Patch Tuesday. Out of the 90 vulnerabilities disclosed by Microsoft, six are currently under attack, demanding immediate attention and remediation.
In addition to the exploited vulnerabilities, four other CVEs addressed in the August update were already known before the disclosure. One particular vulnerability, CVE-2024-38202, poses a significant threat as it allows for elevation of privilege (EoP) in Windows Update Stack without a patch available from Microsoft. This critical issue can potentially be exploited to reintroduce mitigated vulnerabilities or bypass Virtualization Based Security (VBS) features, if leveraged in conjunction with other vulnerabilities.
An analysis by Scott Caveza, a staff research engineer at Tenable, highlights the risk posed by chaining CVE-2024-38202 with another EoP flaw, CVE-2024-21302, affecting Windows Secure Kernel. This tactic could enable attackers to roll back software updates without the need for interaction from a privileged user, raising concerns about the combined impact of multiple vulnerabilities.
Microsoft categorized seven of the disclosed bugs as critical, while rating the remaining vulnerabilities as “Important” or of medium severity due to their varying exploit requirements. The abundance of public exploits or vulnerabilities under active attack in a single release is uncommon, as noted by Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI).
Among the zero-day vulnerabilities actively exploited, two enable remote code execution (RCE) on targeted systems. CVE-2024-38189, affecting Microsoft Project Remote Code, can be leveraged by convincing users to open malicious files, bypassing VBA Macro Notification Settings. The second RCE vulnerability, CVE-2024-38178, in Windows Scripting Engine Memory or Script Host, requires a user to visit a crafted URL using Edge in Internet Explorer Mode to initiate the exploit.
Kev Breen, senior director of threat research at Immersive Labs, highlighted the risk associated with organizations using Internet Explorer Mode for compatibility with legacy websites or applications. The active exploitation of vulnerabilities in this configuration indicates potential vulnerabilities for those utilizing older technologies unsuitable for modern browsers.
Three other zero-day vulnerabilities under active exploitation, CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193, allow attackers to elevate privileges to system admin status. Of these, CVE-2024-38106’s presence in the Windows Kernel poses a significant concern due to memory handling issues vulnerable to race conditions.
CVE-2024-38213, another zero-day exploit, enables attackers to bypass Windows Mark of the Web (MoTW) security protections, facilitating the introduction of malicious files into enterprise environments undetected. This flaw, typically incorporated into exploit chains, underscores the importance of comprehensive security measures to prevent exploitation.
In light of the diverse range of vulnerabilities actively exploited and the potential risks to systems and data, administrators are urged to prioritize patching and mitigation efforts to safeguard their organizations against sophisticated cyber threats. As the cyber landscape evolves, proactive security measures remain essential to defend against emerging vulnerabilities and minimize the impact of successful attacks.