This content is part of the Conference Coverage: The latest from Black Hat USA 2024

Microsoft corrects six zero-days for August Patch Tuesday

Admins can address most of the zero-days with a cumulative update. But of more concern is the lack of patches for two vulnerabilities demonstrated at the Black Hat conference.

Microsoft addressed six zero-days that were actively exploited on August Patch Tuesday. Admins should have little difficulty getting most of them addressed quickly.

Microsoft released updates for 83 new CVEs in its software products and republished 12 non-Microsoft CVEs on August Patch Tuesday. This month's patch release also addressed seven previously released vulnerabilities that required additional updates. More than half of the vulnerabilities affect the Windows operating system.

"The Windows OS is where five of the six zero-day vulnerabilities are and one of the two public disclosures, so that simplifies things for most people," said Chris Goettl, vice president of security product management at Ivanti, to TechTarget Editorial. "You have to get the OS update done and then the Microsoft Office update, and you've taken care of the majority of your risk in one easy swoop."

The first zero-day is a Microsoft Project remote-code execution vulnerability (CVE-2024-38189) rated important with a CVSS score of 8.8 that affects all Microsoft Office editions. The attack requires the victim to open a malicious Project file and have certain Office macro protections disabled to let the attacker remotely execute code.

"If organizations are not controlling the policies on devices, such as a BYOD situation, and have these types of settings configured properly, then an attacker could exploit this vulnerability," Goettl said.

The next zero-day is Windows Power Dependency Coordinator elevation-of-privilege vulnerability (CVE-2024-38107) rated important with a CVSS score of 7.8. This bug affects all currently supported versions of Windows Server and desktop systems. The exploit depends on user interaction and requires them to click on a specially crafted URL.

The next zero-day is a Windows Kernel elevation-of-privilege vulnerability (CVE-2024-38106), rated important with a CVSS ranking of 7.0, that affects several Windows Server and desktop versions. The exploit requires the threat actor to win a race condition, which would then give the attacker system privileges or complete control of the device.

The next zero-day is a Windows Mark-of-the-Web (MOTW) security feature bypass vulnerability (CVE-2024-38213), rated moderate with a 6.5 CVSS score. MOTW is a protection in Windows that indicates content came from outside the local trusted network, such as the internet. The attacker can bypass the SmartScreen user experience, which has several built-in security capabilities, by sending the user a malicious file and convincing them to open it.

"Even though it's rated moderate, because there are attacks in the wild that have taken advantage of this, that's when risk-based prioritization overtakes the vendor severity rating," Goettl said.

The next zero-day is CVE-2024-38193, a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability, rated important with a CVSS rating of 7.8. This flaw affects all Windows desktop systems and the server OS going back to Windows Server 2008.

An attacker must be on the local network but does not need user interaction. A successful exploit would give the threat actor system privileges or complete ownership of the targeted system.

The last zero-day is a Scripting Engine memory corruption vulnerability (CVE-2024-38178), rated important with a CVSS score of 7.5. This flaw requires an authenticated user to click a specially crafted link while in Internet Explorer mode in the Microsoft Edge browser to initiate the remote-code execution.

Goettl said once an attacker got a basic level of permissions on a system, they could create a link on the user's desktop that they could click.

"It's more of a statistical game than a real challenge for these threat actors," Goettl said.

Exploits publicized at Black Hat show puts pressure on admins

Admins will have to perform some mitigation work to protect systems from an elevation-of-privilege flaw (CVE-2024-38202), rated important in the Windows Update Stack for Windows Server and desktop systems. This bug has a CVSS rating of 7.3 and was the subject of a presentation at the recent Black Hat conference. Microsoft first published information about this vulnerability on Aug. 7.

The vulnerability, which has no patch as of publication, could let an attacker with basic user privileges exploit previously mitigated vulnerabilities or bypass virtualization-based security (VBS), which protects critical system components and sensitive data from malicious attacks.

The exploit requires convincing an administrator or user with administrative privileges to perform a system restore. Customers should subscribe to Security Update Guide notifications and follow recommended actions for protection. In the meantime, admins can follow Microsoft's recommendations to reduce the exploitation risk.

A second publicly disclosed vulnerability from the Black Hat conference is a Windows Secure Kernel Mode elevation-of-privilege bug (CVE-2024-21302), rated important with a CVSS rating of 6.7. This vulnerability also affects Windows systems with VBS and some Azure VMs. Microsoft first published information about this vulnerability on Aug. 7.

An attacker with admin privileges could replace Windows system files with deprecated versions to potentially reintroduce old vulnerabilities and bypassing VBS. As of publication, Microsoft does not have a patch but offers customers an "opt-in revocation policy mitigation."

"There are risks associated with this mitigation that should be understood prior to applying it to your systems," the company wrote.

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.

Next Steps

Microsoft: Zero-day vulnerability rolled back previous patches

Four zero-days fixed for September Patch Tuesday

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close