Security operations · 2 MIN READ · MATT JASTRAM · AUG 14, 2024 · TAGS: MDR / vulnerability prioritization
This Patch Tuesday includes 102 published CVEs from Microsoft.
To save you time, our team reviewed the August 2024 edition of Patch Tuesday.
Microsoft’s August release was another large batch at 102 patches—down from the 143 we saw in July (thanks for the summer break!). This month’s patches addressed nine vulnerabilities associated with known attacker exploits. Even as we were writing this, CISA added six of the vulnerabilities to their Known Exploited Vulnerability (KEV) database with an unusually short remediation timeline due date of 9/3/2024 for federal agencies and companies with policies aligned with CISA. The six vulnerabilities added to the KEV were our focus this month and are summarized here:
- Microsoft Project Remote Code Execution Vulnerability: CVE-2024-38189 allows attackers to exploit victims that previously blocked macros in Office files when opening a maliciously-crafted Microsoft project file. The attacker previously would have had to entice the victim to both click a link and open a malicious file. Now the block can be disabled, and attackers can perform remote code execution (RCE). Exploit risk continues to grow, so we recommend patching the eight updates that impact Office, Project, and Microsoft 365 Enterprise Apps.
- Microsoft Windows Scripting Engine Memory Corruption Vulnerability: CVE-2024-38178 is another exploit leveraging attacker-crafted URLs to allow unauthenticated RCE. There are currently 32 types of products requiring updates, including Windows server versions 2012, 2016, 2019, and 2022, and Windows 10 and 11 systems.
- Microsoft Windows Mark of the Web Security Feature Bypass Vulnerability: Windows smartscreen vulnerability CVE-2024-38213 allows attackers to bypass Mark-of-the-Web controls once a victim is convinced to open a file. Normally Mark-of-the-Web controls will warn the user before running a file, but the bypass prevents this warning. We recommend addressing the impacted 32 products: Windows server versions 2012, 2016, 2019, and 2022, and Windows 10 and 11 systems.
- Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability: The WinSock (Ancillary Function Driver) connects Windows computers to the internet. CVE-2024-38193 is a zero day vulnerability that elevates attackers’ privileges to system level privileges, meaning they can access essential Windows functionality settings. It impacts a much broader list of products, including: Windows server versions 2008, 2012, 2016, 2019, and 2022, and Windows 10 and 11 systems.
- Microsoft Windows Kernel Privilege Escalation Vulnerability: CVE-2024-38106 is a zero-day elevation of privilege vulnerability contingent on winning a race condition—meaning attackers must perform two or more operations at the same time to achieve system privileges. The 28 updates include: Windows server versions 2016, 2019, and 2022, and Windows 10 and 11 systems. Some researchers suggest that MS server 2012 might also be impacted, so Microsoft may add this to the list later.
- Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability: With CVE-2024-38107, the Power Dependency Coordinator is exploited to gain system privileges. The feature is responsible for managing power usage within the Windows system, so the vulnerability is readily available and it’s likely more related exploits will be revealed soon. The 32 updates include: Windows server versions 2012, 2016, 2019, and 2022, and Windows 10 and 11 systems.
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.