Microsoft patches over 80 vulnerabilities in August patch, 9 critical, 6 actively exploited

In August 2024, Microsoft's Patch Tuesday is addressing a total of 89 vulnerabilities, including six actively exploited zero-day vulnerabilities and nine critical flaws.

Actively exploited flaws

1. CVE-2024-38178 (CVSS score 7.5) - Scripting Engine Memory Corruption Vulnerability enabling remote code execution. Requires an authenticated user to click on a specially crafted URL in Microsoft Edge using Internet Explorer Mode, enabling an unauthenticated attacker to execute code remotely. Reported by AhnLab and South Korea’s National Cyber Security Center (NCSC), suggesting use in nation-state attacks.

2. CVE-2024-38193 (CVSS score 7.8) - Windows Ancillary Function Driver for WinSock enabling Elevation of privilege to SYSTEM. Locally exploitable, allows attackers to gain SYSTEM privileges on affected Windows systems. Exploited in the wild, with a high likelihood of use in malware attacks.

3. CVE-2024-38213 (CVSS score 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability enabling security feature bypass. Allows attackers to bypass SmartScreen and similar security measures by crafting malicious files. Actively exploited, often part of phishing campaigns.

4. CVE-2024-38106 (CVSS score 7) - Windows Kernel Elevation of Privilege Vulnerability enabling privilege escalation to SYSTEM. Requires winning a race condition, though it has been actively exploited. PExploitation in the wild despite the high complexity of the attack.

5. CVE-2024-38107 (CVSS score 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability enabling privilege escalation to SYSTEM. Local access is required; allows attackers to exploit the Power Dependency Coordinator. Exploited in the wild.

6. CVE-2024-38189 (CVSS score 8.8) - Microsoft Project Remote Code Execution Vulnerability enabling remote code execution. Requires users to open a specially crafted Microsoft Project file on systems where security features like macro blocking are disabled. Actively exploited, likely through phishing or compromised websites.

Publicly announced vulnerabilities that are expected to be exploited soon

• CVE-2024-38199  (CVSS score 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability enabling remote code execution. An unauthenticated attacker could send a specially crafted print task to exploit the LPD service.

• CVE-2024-21302 & CVE-2024-38202 (CVSS score 6.7 and 7.3 respectively) - Windows Secure Kernel Mode and Windows Update Stack Elevation of Privilege Vulnerabilities enablinge elevation of privilege. These were part of a talk at Black Hat 2024 discussing how attackers can use downgrade attacks to reintroduce old vulnerabilities in fully patched systems.

• CVE-2024-38173 (CVSS score 6.7) is a zero-click vulnerability in Microsoft Outlook, aside from opening or previewing the email, it does not require the user to interact with the content of a malicious email thus allowing the adversary to gain foothold into the organization.

Vulnerabilities reported as critical by Microsoft

• CVE-2024-38109 (CVSS score 9.1) - Azure Health Bot Elevation of Privilege Vulnerability, affects a service used to develop healthcare-related chatbots. It allows an attacker to escalate privileges within the Azure Health Bot platform, potentially accessing cross-tenant resources, sensitive data, tokens and enabling lateral movement. By exploiting the "Data Connections" feature, researchers bypassed server-side mitigations, accessed Azure’s Internal Metadata Service (IMDS), and obtained access tokens. Microsoft has applied mitigations across all regions and services, and no customer action is required.

• CVE-2024-38206 (CVSS score 6.5) - Microsoft Copilot Studio Information Disclosure Vulnerability It could allow attackers to exploit information disclosure flaws, potentially leading to the exposure of sensitive data.

•  CVE-2024-38166 (CVSS score 6.1) - Microsoft Dynamics 365 Cross-site Scripting Vulnerability. It allows attackers to execute cross-site scripting (XSS) attacks by injecting malicious scripts that can be executed in the context of the user’s browser. Could lead to unauthorized actions on behalf of users, compromising sensitive business data and user accounts.

• CVE-2024-38140 (CVSS score 9.8) - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability. Allowins attackers to execute arbitrary code remotely by sending specially crafted multicast packets to the affected systems. Could allow attackers to take full control of the affected systems, potentially leading to widespread network compromise.

• CVE-2024-38160 & CVE-2024-38159 (both CVSS score 9.1) - Windows Network Virtualization Remote Code Execution Vulnerabilities. Both vulnerabilities could allow an attacker to execute arbitrary code remotely by exploiting flaws in the network virtualization process. Could lead to complete system compromise, allowing attackers to manipulate virtual networks and the data transmitted within them.

• CVE-2022-3775 (CVSS score 7.1) - Redhat: grub2 Heap-based Out-of-Bounds Write Vulnerability. This flaw could be exploited during the boot process to bypass security controls. Allows attackers to potentially bypass Secure Boot, leading to unauthorized system access and compromise of the boot process.

• CVE-2023-40547 (CVSS score 8.3) - Redhat: Shim Remote Code Execution Vulnerability. It allows remote code execution during the boot process, potentially leading to a complete security bypass. Could enable attackers to gain unauthorized control over systems by bypassing Secure Boot protections.

• CVE-2024-38063 (CVSS score 9.8) - Windows TCP/IP Remote Code Execution Vulnerability. Could result in an attacker taking full control of the affected systems, enabling them to conduct further attacks or disrupt network operations. This vulnerability can be exploited remotely by sending specially crafted IPv6 packets to the target system. The flaw iImpacts all systems with IPv6 enabled. Firewalls dont' help since the flaw occurs as the packet is received, before any firewalls block it.

Full list of August patched flaws