August 14, 2024Ravie LakshmananWindows Security / Vulnerability

Microsoft on Tuesday released fixes for a total of 90 security vulnerabilities, including 10 zero-days. Six of them are actively being exploited.

Of the 90 bugs, seven are rated Critical, 79 are rated Important and one is rated Moderate in severity. This is also in addition to the 36 vulnerabilities the tech giant has fixed in its Edge browser since last month.

The Patch Tuesday updates are notable because they address six actively exploited zero-days:

• CVE-2024-38189 (CVSS Score: 8.8) – Microsoft Project Remote Code Execution Vulnerability
• CVE-2024-38178 (CVSS Score: 7.5) – Memory Corruption Vulnerability in Windows Scripting Engine
• CVE-2024-38193 (CVSS Score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2024-38106 (CVSS Score: 7.0) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-38107 (CVSS Score: 7.8) – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
• CVE-2024-38213 (CVSS Score: 6.5) – Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38213, which allows attackers to bypass SmartScreen protections, requires an attacker to send the user a malicious file and convince them to open it. The discovery and reporting of the flaw is attributed to Peter Girnus of Trend Micro, who suggests that it could be a workaround for CVE-2024-21412 or CVE-2023-36025, which were previously exploited by DarkGate malware operators.

This development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaws to its catalogue of known exploitable vulnerabilities (CAVs), requiring federal agencies to implement the fixes by September 3, 2024.

Four of the CVEs below are listed as publicly known:

• CVE-2024-38200 (CVSS Score: 7.5) – Microsoft Office spoofing vulnerability
• CVE-2024-38199 (CVSS Score: 9.8) – Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
• CVE-2024-21302 (CVSS Score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
• CVE-2024-38202 (CVSS Score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability

“An attacker could exploit this vulnerability by tricking a victim into accessing a specially crafted file, likely via a phishing email,” said Scott Caveza, research engineer at Tenable, regarding CVE-2024-38200.

“Successful exploitation of the vulnerability could allow the victim to expose New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes can be abused in NTLM relay or pass-the-hash attacks to increase an attacker’s foothold in an organization.”

The update also resolves a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), which could allow an attacker to gain SYSTEM privileges. “Successful exploitation of this vulnerability requires an attacker to win a race condition,” Microsoft said.

However, Microsoft has not yet released updates for CVE-2024-38202 and CVE-2024-21302, which can be exploited to perform downgrade attacks on the Windows update architecture and replace current versions of the operating system files with older versions.

The disclosure follows a report from Fortra about a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that could result in a system crash and a Blue Screen of Death (BSoD).

When asked for comment, Microsoft a spokesperson told The Hacker News that the issue “does not meet the criteria for immediate resolution under our severity rating guidelines and we will consider it for a future product update.”

“The technique described requires an attacker to have already obtained code execution capabilities on the target machine and does not grant elevated privileges. We encourage customers to practice good computing habits online, including caution when running programs that are not recognized by the user,” the spokesperson added.

Third party software patches

In addition to Microsoft, security updates have also been released in recent weeks by other vendors to address several vulnerabilities, including: