Microsoft released fixes on Tuesday to address a total of 90 security vulnerabilities, including ten zero-day vulnerabilities, six of which were already being actively exploited.
Of the 90 bugs, seven are classified as critical, 79 as important and one as moderate. In addition, there are the 36 vulnerabilities that the tech giant has fixed in its Edge browser since last month.
The Patch Tuesday updates are notable because they fix six actively exploited zero-day attacks –
- CVE-2024-38189 (CVSS score: 8.8) – Remote code execution vulnerability in Microsoft Project
- CVE-2024-38178 (CVSS score: 7.5) – Memory corruption vulnerability in the Windows Scripting Engine
- CVE-2024-38193 (CVSS score: 7.8) – Vulnerability in the Windows additional function driver for WinSock regarding privilege escalation
- CVE-2024-38106 (CVSS score: 7.0) – Windows kernel privilege escalation vulnerability
- CVE-2024-38107 (CVSS score: 7.8) – Privilege escalation vulnerability in Windows Power Dependency Coordinator
- CVE-2024-38213 (CVSS score: 6.5) – Windows Mark of the Web Security Bypass Vulnerability
CVE-2024-38213, which allows attackers to bypass SmartScreen protection, requires an attacker to send the user a malicious file and convince them to open it. Peter Girnus of Trend Micro is credited with discovering and reporting the flaw. He suspects that it could be a bypass for CVE-2024-21412 or CVE-2023-36025, which were previously exploited by operators of the DarkGate malware.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerabilities to its catalog of known exploited vulnerabilities (KEV), requiring federal agencies to apply the corresponding fixes by September 3, 2024.
Four of the CVEs listed below are listed as publicly known –
- CVE-2024-38200 (CVSS score: 7.5) – Microsoft Office spoofing vulnerability
- CVE-2024-38199 (CVSS score: 9.8) – Remote code execution vulnerability in the Windows Line Printer Daemon (LPD) service
- CVE-2024-21302 (CVSS Score: 6.7) – Windows Secure Kernel Mode Privilege Escalation Vulnerability
- CVE-2024-38202 (CVSS score: 7.3) – Vulnerability in the Windows Update stack regarding privilege escalation
“An attacker could exploit this vulnerability by tricking a victim into accessing a specially crafted file, likely via a phishing email,” said Scott Caveza, research engineer at Tenable, about CVE-2024-38200.
“Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to give an attacker greater access to an organization.”
The update also fixes a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8) that allows an attacker to gain SYSTEM privileges. “To successfully exploit this vulnerability, an attacker must win a race condition,” Microsoft said.
However, Microsoft has not yet released updates for CVE-2024-38202 and CVE-2024-21302, which could be abused for downgrade attacks on the Windows Update architecture and replace current versions of the operating system files with older versions.
The disclosure follows a report by Fortra of a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8), which could cause a system crash resulting in a Blue Screen of Death (BSoD).
When asked for comment, a Microsoft spokesperson told The Hacker News that the issue “does not meet the requirements for immediate attention under our severity classification guidelines and we will address it in a future product update.”
“The technique described requires that an attacker already has the ability to execute code on the target computer and does not grant elevated privileges. We recommend that our customers maintain good computing habits while online and be cautious when running programs that are not recognized by the user,” the spokesperson added.
Software patches from other providers
In addition to Microsoft, other vendors have also released security updates in recent weeks to fix several vulnerabilities, including:
