Attackers are actively exploiting up to six of the 90 vulnerabilities Microsoft disclosed in its August security update, making them a top priority for administrators this Patch Tuesday.
Another four CVEs in the update from Microsoft were already publicly known before the disclosure on August 13, which also makes them a kind of zero-day attack, although attackers have not yet started exploiting them. Among them is an EoP (Elevation of Privilege) bug in the Windows Update stack, which is known as CVE-2024-38202, is particularly worrying because Microsoft does not yet have a patch for it.
Unpatched zero-day
The unpatched flaw allows an attacker with “low-level user privileges to reintroduce previously mitigated vulnerabilities or bypass some features of Virtualization Based Security (VBS),” according to Microsoft. The company has rated the flaw as only moderate severity because an attacker would have to convince an administrator or user with delegated privileges to perform a system restore.
However, Scott Caveza, research engineer at Tenable, says that an attacker who exploited CVE-2024-38202 with CVE-2024-21302 (an EoP flaw in the current update affecting the Windows Secure Kernel) they could roll back software updates without requiring interaction with a privileged user. “CVE-2024-38202 actually requires ‘additional interaction by a privileged user,’ according to Microsoft,” he says. “However, the chaining of CVE-2024-21302 allows an attacker to downgrade or roll back software versions without requiring interaction with a victim with elevated privileges.”
Caveza says each vulnerability can be exploited individually, but when combined they could potentially have a greater impact.
In total, seven of the bugs Microsoft disclosed this week are rated critical. The company classified 79 CVEs – including the zero-day vulnerabilities that attackers are actively exploiting – as “important” or of moderate severity because they require some level of user interaction or other prerequisites for an attacker to exploit them. “While this is not the largest release, it is unusual to have so many bugs listed as public or actively exploited in a single release,” said Dustin Childs, director of threat awareness at Trend Micro’s Zero Day Initiative (ZDI). in a blog post.
Zero-days are actively exploited
Two of the actively exploited vulnerabilities allow remote code execution (RCE) on affected systems. One of them, CVE-2024-38189affects Microsoft Project Remote Code and impacts organizations that use the VBA Macro Notification Settings on their systems. In these situations, an attacker could remotely execute arbitrary code if they can trick a user into opening a malicious Microsoft Office Project file. “It’s definitely odd to see a code execution flaw in Project, but not only do we have one here, it’s being exploited in the wild,” Childs said. “In most cases, it’s a typical open-and-own flaw, but in this case, the target allows macros to be executed from the Internet.”
The other zero-day RCE in Microsoft’s latest update is CVE-2024-38178, a memory corruption vulnerability in the Windows Scripting Engine Memory, or Script Host. “To successfully exploit this vulnerability, an attacker must first prepare the target to use Edge in Internet Explorer mode: the user would have to click on a specially crafted URL to be compromised by the attack,” Microsoft said.
Kev Breen, senior director of threat research at Immersive Labs, said that while IE is not currently the default mode for most users, the fact that attackers are actively exploiting the bug suggests that there are organizations using this configuration. “Internet Explorer mode is used where legacy websites or applications were built specifically for Internet Explorer and are not supported by modern HTML5 browsers, such as Chromium-based browsers,” Breen said in an emailed statement. “For these websites and applications, organizations or users may enable this legacy mode to maintain compatibility with these applications” and thus could be at risk from the newly disclosed bug.
Three of the zero-day vulnerabilities in this update that are being actively exploited by attackers — CVE-2024-38106, CVE-2024-38107And CVE-2024-38193 – enable an attack to elevate privileges to system administrator status.
Among them, CVE-2024-38106 is particularly severe because it is present in the Windows kernel. “The fundamental problem with CVE-2024-38106 arises from a race condition combined with improper memory handling in the Windows kernel,” said Mike Walters, president and CEO of Action 1, in an emailed comment. “Sensitive data that should be secured in locked memory is instead vulnerable in an accessible and modifiable area” if an attacker can win a race condition through precise timing.
CVE-2024-38107 in Windows Power Dependency and CVE-2024-38193 in Windows Ancillary Function Driver for WinSock also allow attackers to gain system-level privileges. The three EoP vulnerabilities affect various core components of the operating system, according to Breen. “An attacker would have to have already gained code execution on the victim machine, either through lateral movement or another exploit, such as a malicious document,” to exploit the vulnerabilities.
The other active zero-day exploit is CVE-2024-38213, a flaw that allows attackers to bypass Windows Mark of the Web (MoTW) security protections. The flaw is similar to other similar vulnerabilities in MoTW and provides attackers with the ability to inject malicious files and web content into enterprise environments without them being marked as untrusted. “This vulnerability cannot be exploited alone,” Breen said, “and is typically seen as part of an exploit chain, such as when a malicious document or EXE file is modified to include this bypass before the file is emailed or distributed on compromised websites.”
