Patch Tuesday Microsoft has disclosed 90 vulnerabilities in its products – six of which have already been exploited – and four more are considered publicly known.
There are another dozen in the list of third-party fixes now included in Microsoft’s monthly update. Happy August Patch Tuesday, folks.
Of the 102 bugs listed this month, nine are classified as critical – but so far none of them seem to have been discovered and exploited by the bad guys.
So let’s start with the six actively exploited bugs:
CVE-2024-38189 – a Microsoft Project Remote Code Execution vulnerability with a CVSS score of 8.8. The bad news is that it is a RCE and was exploited before a fix was released.
The good news is that exploitation requires disabling some security features before an attacker can execute code on a victim’s computer. Assuming a criminal can find a system running macros downloaded from the Internet, And Additionally, blocking macros in Office files is disabled in the Internet policy. And Once a victim is convinced to open a malicious file, it’s game over. Clearly someone has managed to overcome these hurdles, although we don’t have any details about the exploit or its distribution.
CVE-2024-38178 – a memory corruption vulnerability in the scripting engine that received a CVSS score of 7.5. Microsoft says that the attack complexity on this one is high and requires the victim to use Edge in Internet Explorer mode. Apparently, some organizations and their websites are still very fond of this dead web browser that Microsoft stopped supporting two years ago.
Once Edge is in Internet Explorer mode, an attacker can convince the victim to click on a specially crafted URL and execute remote code on the victim’s device.
Redmond thanks the South Korean National Cyber Security Center and AhnLab for discovering and reporting this vulnerability.
CVE-2024-38193 – A privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock, rated 7.8, could allow an attacker to gain system privileges.
Dustin Childs of the Zero Day Initiative noted, “These types of bugs are typically paired with a code execution flaw to take over a target. Microsoft isn’t giving any indication as to the extent to which this is being exploited, but considering the source, if it’s not already in ransomware, it likely will be soon.”
Gen Digital bug hunters Luigino Camastra and Milánek have informed Redmond about the bug.
CVE-2024-38106 – A Windows kernel privilege escalation vulnerability with a CVSS score of 7.0.
To exploit this bug, an attacker must win a race condition, but Redmond does not provide details on what this race condition entails. But once that happens, the bad actor can gain system privileges. The bug has been exploited, so a patch will be needed soon.
CVE-2024-38107 – A privilege escalation vulnerability in Windows Power Dependency Coordinator rated 7.8. It can also lead to system privileges and has been exploited in the wild.
CVE-2024-38213 – a Windows Mark of the Web Security Feature Bypass vulnerability that received a CVSS rating of 6.5.
ZDI researcher Peter Girnus discovered and reported this vulnerability. It allows attackers to bypass the SmartScreen security feature. However, highlighting is required to open a malicious file.
Microsoft has listed four vulnerabilities as publicly known but not yet exploited, so you might want to put these at the top of your list of vulnerabilities to patch:
- CVE-2024-38200 – a spoofing vulnerability in Microsoft Office with a CVSS rating of 6.5.
- CVE-2024-38199 – an RCE vulnerability in the Windows Line Printer Daemon (LPD) service with a CVSS score of 9.8.
- CVE-2024-21302 – Windows secure kernel mode privilege escalation vulnerability with a CVSS score of 6.7.
- CVE-2024-38202 – A privilege escalation vulnerability in the Windows Update stack with a CVSS score of 7.3.
Adobe fixes 71 CVEs
Adobe has fixed 71 CVEs this month in 11 updates for its Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, 3D Sampler, and Substance 3D Designer products. Adobe says it is not aware of any exploits for the bugs now fixed.
Commerce is the most buggy of all, with seven vulnerabilities rated critical. InDesign has fixed 13 CVEs, and Acrobat and Reader have fixed 12—both of which contained RCEs.
SAP releases 25 security patches
SAP has released 25 new or updated security patches this month, including two HotNews advisories and four high priority advisories. Thomas Fritsch, SAP security researcher at Onapsis, says this number is above the software maker’s average.
Of the new HotNews advisories, #3479478 (CVE-2024-41730) received a CVSS rating of 9.8 and resolves a denial-of-service vulnerability in SAP BusinessObjects Business Intelligence Platform.
“If Single Sign On Enterprise authentication is enabled, an unauthorized user can obtain a login token via a REST endpoint,” warned Fritsch. “The attacker can completely compromise the system, which has a significant impact on confidentiality, integrity and availability.”
43 more vulnerabilities for Intel
Intel joined the patch party this month with a whopping 43 security advisories that address numerous software and hardware vulnerabilities. Nine of them are rated as severe, so let’s start with those:
Intel Ethernet controllers and adapters resolve CVEs that could allow escalation of privilege or denial of service.
Defects in some Intel NUC BIOS firmware may allow escalation of privilege, denial of service, and information disclosure.
Vulnerabilities in the stream caching mechanisms of Intel Core Ultra processors and Intel processors could allow escalation of privilege.
Errors in the Intel Trust Domain Extensions Module (Intel TDX) software can result in a denial of service.
A security vulnerability in the SMI Transfer Monitor (STM) could allow an escalation of privileges.
Defects in some Intel Agilex FPGA firmware and some Intel Server Board S2600ST family firmware may allow escalation of privilege.
Finally, some Intel UEFI Integrator tools on Aptio V for Intel NUC are vulnerable to an escalation of privilege flaw. ®