Microsoft patches six actively exploited vulnerabilities

Microsoft fixed 88 vulnerabilities on Tuesday as part of its monthly patching cycle. Six of those flaws were already being actively exploited in the wild before a patch was available and another four were publicly disclosed, putting the total number of zero-day vulnerabilities covered in this release at 10.

Of the 88 vulnerabilities patched only seven are rated critical, 79 are rated important, and one is rated moderate. But severity isn’t everything when it comes to prioritizing patch deployments, as attackers are regularly exploiting non-critical flaws as part of their attack chains.

“While this isn’t the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release,” researchers from Trend Micro’s Zero Day Initiative (ZDI) program wrote in an analysis.

The proximity to Black Hat and DEF CON may have played a part in that, however, as some of the publicly disclosed vulnerabilities came from talks given by security researchers last week at the two conferences. Those vulnerabilities might have been reported responsibly to Microsoft in advance, but weren’t considered severe enough to warrant out-of-band fixes — something that Microsoft typically reserves only for widely exploited zero-day vulnerabilities.

Six actively exploited flaws

Actively exploited vulnerabilities should be prioritized for patching regardless of whether they are rated critical or have other limiting factors. Microsoft doesn’t include details about the attacks using zero-day flaws in its advisories so enterprises can’t know how sophisticated or widespread those attacks are unless the third-party organizations or researchers who reported them publish their own reports.

For example, one vulnerability, tracked as CVE-2024-38178, is described as a memory corruption vulnerability in the scripting engine that can result in remote code execution. Normally unauthenticated remote code execution vulnerabilities would be rated critical, but this flaw is rated as important (7.5 out of 10) because it can be exploited only when a user visits a specifically crafted link with Microsoft Edge running in Internet Explorer Mode.

Microsoft Edge normally uses the scripting engine from the open-source Chromium project, but it has a compatibility feature that allows users to open legacy sites with the old Trident MSHTML engine from Internet Explorer 11 (IE11). This is known as the Internet Explorer Mode.

While IE Mode is not widely used, it could be needed inside certain organizations to access old web applications that haven’t been re-engineered. Attackers who use this vulnerability in the wild could do so against targets they know open legacy sites in IE mode as part of daily workflows. The flaw was reported to Microsoft by South Korean cybersecurity firm AhnLab and South Korea’s National Cyber Security Center (NCSC).

Another actively exploited flaw is a remote code execution vulnerability in Microsoft Project tracked as CVE-2024-38189. The Microsoft Office project management program has not historically been targeted in attacks, unlike Word or Excel. To exploit this vulnerability, attackers would have to trick users into opening a maliciously crafted Microsoft Office Project file on a system where the default policy of blocking macros in Office files downloaded from the internet is disabled and the VBA Macro Notification Settings are not enabled.

Again, this is a non-default configuration suggesting that attackers may be using this in targeted attacks against victims they know have disabled these settings, or that they try to socially engineer into disabling them. The flaw is rated as important (8.8 out of 10); Microsoft did not disclose who reported this vulnerability.

A third actively exploited flaw, CVE-2024-38213, is described as a Windows Mark of the Web (MotW) security feature bypass and is rated moderate (6.5 out of 10). Windows automatically flags files downloaded from the internet with a MotW, which is Alternate Data Stream (ADS) inside the NTFS stream of a file when it’s saved locally. NTFS is the default file system used by Windows. This ADS is called the ZoneId and if it has a value of 3 the file was downloaded from the internet and is checked by a Windows cloud-based file reputation feature called SmartScreen.

Avoiding this file reputation check is valuable to attackers, so many SmartScreen bypasses have been found and used by attackers over the years, especially by ransomware groups. Microsoft credits Trend Micro senior threat researcher Peter Girnus with reporting this latest bypass.

The last three actively exploited flaws are all privilege escalation issues in various Windows components: the Windows Ancillary Function Driver for WinSock (CVE-2024-38193), the Windows Power Dependency Coordinator (CVE-2024-38107), and the Windows Kernel (CVE-2024-38106). These vulnerabilities are rated important, with severity scores between 7 and 8.

Privilege escalation flaws are also sought after by attackers because they allow them to gain full control over a system after exploiting a remote code execution vulnerability or tricking users into opening a malicious file. These vulnerabilities typically give attackers SYSTEM privileges, the highest possible on a Windows system.

The United States Cybersecurity and Infrastructure Security Agency (CISA) added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, which creates an obligation for government agencies to patch them by Sept. 3. However, the agency urges all organizations regardless of industry to prioritize patching them.

Other publicly disclosed zero-days

Of the four publicly disclosed vulnerabilities not yet in evidence of in-the-wild exploitation, the most severe is a remote code execution flaw in Windows Line Printer Daemon (LPD) (CVE-2024-38199). This vulnerability, rated by Microsoft as important, has a severity score of 9.8 out of 10, which would normally make it critical based on the Common Vulnerabilities Scoring System (CVSS).

Attackers can exploit this flaw by sending a specially crafted print task to a shared vulnerable Windows LPD service across a network. Even though this feature has been deprecated since Windows Server 2012 and is not installed or enabled on systems by default, it is available as an optional component.

Another publicly disclosed vulnerability is a spoofing issue in Microsoft Office (CVE-2024-38200) that allows attackers to steal NTLM authentication hashes by tricking users into opening a file. This vulnerability was disclosed as part of a DEF CON talk called “NTLM – The Last Ride“ by researchers Jim Rush and Tomais Williamson. Microsoft applied an alternative fix through Feature Flighting for Office and Microsoft 365 users on July 30 and its advisory includes mitigation advice.

The last two zero-day flaws are CVE-2024-38202 and CVE-2024-21302, which were disclosed as part of a Black Hat talk on performing a rollback of Windows Updates and reintroducing known vulnerabilities. These two vulnerabilities don’t yet have patches, but Microsoft published guidance on how to block potential rollback attacks.