Microsoft is addressing 88 vulnerabilities this August 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for ten of the vulnerabilities posted these days, that's notably more than typical. At time of writing, all six of the known-exploited vulnerabilities patched these days are listed on CISA KEV. Microsoft is likewise patching 5 important far off code execution (RCE) vulnerabilities these days. 11 browser vulnerabilities have already been posted separately this month, and are not covered inside the overall.
Patch Tuesday watchers will realize that today’s haul of four publicly-disclosed vulnerabilities and six in addition exploited-in-the-wild vulnerabilities is a miles large batch than ordinary. We’ll first cope with the ones vulnerabilities where public disclosure exists but no patch is available: the noteworthy Windows OS downgrade assaults disclosed at Black Hat ultimate week. We’ll then take a look at those vulnerabilities posted today which Microsoft knows to be exploited in the wild already, and then take a look at the other publicly-disclosed vulnerabilities published this month.
Windows Update: 50% patched 0-day Downdate attack.
First things first: what in case your patched Windows asset suddenly wasn’t patched, as much as and which includes the hypervisor? That become the query asked and spoke back in a Black Hat communicate with the aid of SafeBreach ultimate week. In response, Microsoft has posted vulnerabilities. Microsoft became first notified of these vulnerabilities back in February 2024, and the advisories concede that the Black Hat talk become “as it should be coordinated with Microsoft.”
CVE-2024-38202 describes an elevation of privilege vulnerability inside the Windows Update Stack, and exploitation requires that an attacker convinces an administrative user to perform a machine repair — uncommon, honestly, however social engineers can accomplish many stuff. Microsoft with a bit of luck assesses exploitation of this vulnerability as much less possibly. The advisory does no longer give an explanation for how a person with simple privileges can adjust the target asset’s System listing, that's required to plant the malicious gadget repair files, despite the fact that the SafeBreach write-up does explain the flaw in massive element. No patch is yet available, despite the fact that the advisory states that a security replace to mitigate this hazard is under development. Microsoft provides several recommended moves, which do not mitigate the vulnerability, but can as a minimum provide additional barriers to exploitation and put in vicinity a few beneficial extra visibility of the attack floor and exploitation tries. One possible final results of exploitation is that an attacker could alter the integrity and repair utility a good way to now not detect corruptions in Windows machine documents.
CVE-2024-21302 is the second one half of of the downgrade attack pair observed by way of SafeBreach. Exploitation allows an attacker with administrator privileges to replace up to date Windows system documents with older variations and for that reason reintroduce vulnerabilities to Virtualization-based totally security (VBS). Patches are to be had; but, defenders must word that the patch does now not automatically remediate assets, but as a substitute delivers an decide-in Microsoft-signed revocation policy, which brings with it the chance of a boot loop if carried out and then improperly reverted. Significant guidance is available underneath KB5042562: Guidance for blockading rollback of Virtualization-based Security (VBS) associated protection updates.
Windows WinSock: 0-day EoP.
Moving on to recognized-exploited vulnerabilities: the Windows Ancillary Function Driver for WinSock gets a patch for exploited-in-the-wild elevation of privilege vulnerability CVE-2024-38193. Successful exploitation is through a use-after-loose reminiscence control malicious program, and will result in SYSTEM privileges. The advisory doesn’t offer similarly clues, but with existing in-the-wild exploitation, low assault complexity, no person interplay worried, and occasional privileges required, that is one to patch right now to maintain malware at bay.
Windows Power Dependency Coordinator: zero-day EoP
While we’re looking at exploited-in-the-wild, use-after-unfastened vulnerabilities with minimalist advisories: CVE-2024-38107 also ends in SYSTEM privileges through abuse of the Windows Power Dependency Coordinator, which permits Windows computers to wake nearly right away from sleep. Of route, not anything comes without spending a dime: this vulnerability calls for no person interplay, has low assault complexity, and requires low privileges. Patch all of your Windows belongings sooner as opposed to later.
Windows Kernel: 0-day EoP
Still on the topic of exploited-in-the-wild, elevation-to-SYSTEM vulnerabilities: CVE-2024-38106 calls for an attacker to win a race situation which falls beneath CWE-591: Sensitive Data Storage in Improperly Locked Memory. Although the advisory for CVE-2024-38106 does no longer offer further detail, an inexpensive assumption here might be that the vulnerability may be just like CVE-2023-36403, where exploitation relies on a flaw within the manner the Windows kernel handles locking for registry virtualization, which allows Windows to redirect globally-impactful registry examine/write operations to per-consumer locations to assist legacy programs which aren't UAC-compatible. Curiously, Windows Server 2012 does no longer obtain a patch for CVE-2024-38106, so both the vulnerability became added in a later codebase, or Microsoft is hoping that attackers gained’t note.
Windows SmartScreen: 0-day MotW bypass
CVE-2024-38213 describes a Mark of the Web (MotW) protection skip vulnerability in all present day Windows merchandise. An attacker who convinces a person to open a malicious document may want to skip SmartScreen, which might generally warn the user about documents downloaded from the net, which Windows could in any other case have tagged with MotW. CVE-2024-38213 probably gives much less utility to attackers than a extensively-similar SmartScreen bypass posted in February 2024, because not like nowadays’s offering, the advisory for the preceding CVE-2024-21351 additionally defined the capability for code injection into SmartScreen itself. The decrease CVSSv3 base rating for cutting-edge CVE-2024-38213 reflects that distinction.
Edge Internet Explorer mode: zero-day EoP
Although Edge RCE vulnerability CVE-2024-38178 is already recognised to be exploited within the wild, it probable won’t be pinnacle of each person’s listing of greatest issues this month. The advisory clarifies that successful exploitation could require the attacker to not most effective convince a person to click on a malicious link, however additionally to first prepare the target asset so that it makes use of Edge in Internet Explorer Mode. IE Mode gives backwards-compatibility capability so that customers can view legacy web sites which depend on the charming idiosyncrasies of Internet Explorer; such sites are frequently served by means of agency legacy net applications, which is going a long manner to explaining Microsoft’s persevered motivation to hold Internet Explorer extremely alive. If no longer already enabled on the goal asset, the attacker might must attain a change of Edge settings to allow the “Allow sites to be reloaded in Internet Explorer” setting. Subsequent exploitation would contain convincing the person to open an Internet Explorer mode tab inside Edge after which starting the malicious URL. Remediation includes patching Windows itself; all contemporary versions of Windows are affected.
Microsoft Project: zero-day RCE
Rounding out this month’s half dozen exploited-in-the-wild vulnerabilities is CVE-2024-38189, which describes RCE in Microsoft Project. Exploitation requires that an attacker convince the user to open a malicious report, and is possible simplest in which the “Block macros from running in Office files from the Internet” policy is disabled — it's miles enabled by using default — and the “VBA Macro Notification Settings” are set to a low sufficient level. Happily, the Preview Pane isn't always an assault vector in this example.
Microsoft Office: 0-day spoofing
Published last week to acknowledge its public disclosure, and patched nowadays for all contemporary variations of Office, CVE-2024-38200 describes a spoofing vulnerability. Exploitation requires that the user click a malicious link. Although the advisory doesn’t describe the effect, the weakness is CWE-two hundred: Exposure of Sensitive Information to an Unauthorized Actor, and the FAQ mentions outgoing NTLM visitors; analyzing between the lines, it’s exceedingly in all likelihood that NTLM hashes are exposed upon successful exploitation.
The advisory shows mitigating factors which may also already apply, or which may additionally show useful to enhance safety posture: adding users to the Protected Users Security Group, which prevents using NTLM authentication, and blocking off outbound SMB connections to port 445. Both of those mitigation measures can also smash legacy authentication in a few eventualities.
Somewhat unusually, Microsoft claims to have fixed this vulnerability two times, for the reason that further to nowadays’s patches, an opportunity restoration changed into enabled through Feature Flighting on 2024-07-30 for all in-guide variations of Office and 365. Microsoft nevertheless recommends that clients replace to the 2024-08-13 patches to get hold of the very last version of the fix. Somewhat confusingly, the FAQ then goes on to say that the Security Updates desk can be revised while the update is publicly to be had; however, it’s possibly that Microsoft will update the FAQ inside the near future to make clear that a this changed into a minor FAQ editing oversight in preference to a proposal that similarly patches are predicted.
Windows Line Printer Daemon: zero-day RCE
Line Printer Daemon (LPD) vulnerabilities are like buses: you wait ages for one, after which come along in short succession. Last month’s denial of provider vulnerability is now joined by using CVE-2024-38199, a publicly-disclosed RCE vulnerability. Exploitation requires that an attacker sends a malicious print project to a shared vulnerable Windows Line Printer Daemon provider throughout the network. Many admins gained’t want to worry about this vulnerability, on account that Microsoft has been encouraging all of us to migrate away from LPD for almost a decade, and it isn’t mounted with the aid of default on Windows merchandise more recent than Server 2012. Still, patches are to be had for Windows Server 2008 SP2, Server 2022 23H2, and the entirety in among.
Windows TCP/IP IPv6: important RCE
Some vulnerabilities are defined as far off code execution, but require the consumer to click on a dodgy link or open a malicious document. However, this is not the case for CVE-2024-38063, which describes an integer underflow/wraparound inside the Windows IPv6 stack. The advisory states that an attacker can obtain RCE by means of repeatedly sending IPv6 packets, along with in particular crafted packets, to a Windows asset.
With a base CVSSv3 score of 9.Eight, the simplest aspect saving CVE-2024-38063 from a really perfect 10 is the dearth of scope alternate, however seeing that successful exploitation will possibly result in RCE with SYSTEM privileges, that might be an academic distinction. All variations of Windows are affected, except the IPv6 stack — that's enabled through default — has been disabled. Note that unbinding the IPv6 stack from a network interface isn't always the equal issue as disabling IPv6 on the asset altogether.
The exceptional safety at the moment is to apply the legit patch from Microsoft. If this isn't always feasible, disabling IPv6 at the network adapter is the following quality mitigation. Organizations can also evaluate if ingress IPv6 site visitors is important on their networks.
CVE-2024-38063 doesn’t necessarily demonstrate something concrete about IPv6 security, since it is not a protocol bug, however rather a vulnerability in Microsoft’s implementation of the IPv6 protocol stack. This approach Linux and different systems the usage of IPv6 could be entirely unaffected.
Microsoft is addressing 88 vulnerabilities this August 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for ten of the vulnerabilities published today, which is significantly more than usual. At time of writing, all six of the known-exploited vulnerabilities patched today are listed on CISA KEV. Microsoft is also patching five critical remote code execution (RCE) vulnerabilities today. 11 browser vulnerabilities have already been published separately this month, and are not included in the total.
Patch Tuesday watchers will know that today’s haul of four publicly-disclosed vulnerabilities and six further exploited-in-the-wild vulnerabilities is a much larger batch than usual. We’ll first address those vulnerabilities where public disclosure exists but no patch is available: the noteworthy Windows OS downgrade attacks disclosed at Black Hat last week. We’ll then examine those vulnerabilities published today which Microsoft knows to be exploited in the wild already, and then take a look at the other publicly-disclosed vulnerabilities published this month.
Windows Update: 50% patched zero-day Downdate attack
First things first: what if your patched Windows asset suddenly wasn’t patched, up to and including the hypervisor? That was the question asked and answered in a Black Hat talk by SafeBreach last week. In response, Microsoft has published two vulnerabilities. Microsoft was first notified of these vulnerabilities back in February 2024, and the advisories concede that the Black Hat talk was “appropriately coordinated with Microsoft.”
CVE-2024-38202 describes an elevation of privilege vulnerability in the Windows Update Stack, and exploitation requires that an attacker convinces an administrative user to perform a system restore — unusual, certainly, but social engineers can accomplish many things. Microsoft optimistically assesses exploitation of this vulnerability as less likely. The advisory does not explain how a user with basic privileges can modify the target asset’s System directory, which is required to plant the malicious system restore files, although the SafeBreach write-up does explain the flaw in significant detail. No patch is yet available, although the advisory states that a security update to mitigate this threat is under development. Microsoft provides several recommended actions, which do not mitigate the vulnerability, but can at least provide additional barriers to exploitation and put in place some useful additional visibility of the attack surface and exploitation attempts. One possible outcome of exploitation is that an attacker could modify the integrity and repair utility so that it will no longer detect corruptions in Windows system files.
CVE-2024-21302 is the second half of the downgrade attack pair discovered by SafeBreach. Exploitation allows an attacker with administrator privileges to replace updated Windows system files with older versions and thus reintroduce vulnerabilities to Virtualization-based security (VBS). Patches are available; however, defenders must note that the patch does not automatically remediate assets, but instead delivers an opt-in Microsoft-signed revocation policy, which brings with it the risk of a boot loop if applied and then improperly reverted. Significant guidance is available under KB5042562: Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates.
Windows WinSock: zero-day EoP
Moving on to known-exploited vulnerabilities: the Windows Ancillary Function Driver for WinSock receives a patch for exploited-in-the-wild elevation of privilege vulnerability CVE-2024-38193. Successful exploitation is via a use-after-free memory management bug, and could lead to SYSTEM privileges. The advisory doesn’t provide further clues, but with existing in-the-wild exploitation, low attack complexity, no user interaction involved, and low privileges required, this is one to patch immediately to keep malware at bay.
Windows Power Dependency Coordinator: zero-day EoP
While we’re looking at exploited-in-the-wild, use-after-free vulnerabilities with minimalist advisories: CVE-2024-38107 also leads to SYSTEM privileges via abuse of the Windows Power Dependency Coordinator, which allows Windows computers to wake almost instantly from sleep. Of course, nothing comes for free: this vulnerability requires no user interaction, has low attack complexity, and requires low privileges. Patch all your Windows assets sooner rather than later.
Windows Kernel: zero-day EoP
Still on the topic of exploited-in-the-wild, elevation-to-SYSTEM vulnerabilities: CVE-2024-38106 requires an attacker to win a race condition which falls under CWE-591: Sensitive Data Storage in Improperly Locked Memory. Although the advisory for CVE-2024-38106 does not provide further detail, a reasonable assumption here might be that the vulnerability could be similar to CVE-2023-36403, where exploitation relies on a flaw in the way the Windows kernel handles locking for registry virtualization, which allows Windows to redirect globally-impactful registry read/write operations to per-user locations to support legacy applications which are not UAC-compatible. Curiously, Windows Server 2012 does not receive a patch for CVE-2024-38106, so either the vulnerability was introduced in a later codebase, or Microsoft is hoping that attackers won’t notice.
Windows SmartScreen: zero-day MotW bypass
CVE-2024-38213 describes a Mark of the Web (MotW) security bypass vulnerability in all current Windows products. An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW. CVE-2024-38213 likely offers less utility to attackers than a broadly-similar SmartScreen bypass published in February 2024, since unlike today’s offering, the advisory for the previous CVE-2024-21351 also described the potential for code injection into SmartScreen itself. The lower CVSSv3 base score for today's CVE-2024-38213 reflects that difference.
Edge Internet Explorer mode: zero-day EoP
Although Edge RCE vulnerability CVE-2024-38178 is already known to be exploited in the wild, it likely won’t be top of anyone’s list of greatest concerns this month. The advisory clarifies that successful exploitation would require the attacker to not only convince a user to click a malicious link, but also to first prepare the target asset so that it uses Edge in Internet Explorer Mode. IE Mode provides backwards-compatibility functionality so that users can view legacy websites which rely on the fascinating idiosyncrasies of Internet Explorer; such sites are often served by enterprise legacy web applications, which goes a long way to explaining Microsoft’s continued motivation to keep Internet Explorer somewhat alive. If not already enabled on the target asset, the attacker would have to achieve a modification of Edge settings to enable the “Allow sites to be reloaded in Internet Explorer” setting. Subsequent exploitation would involve convincing the user to open an Internet Explorer mode tab within Edge and then opening the malicious URL. Remediation involves patching Windows itself; all current versions of Windows are affected.
Microsoft Project: zero-day RCE
Rounding out this month’s half dozen exploited-in-the-wild vulnerabilities is CVE-2024-38189, which describes RCE in Microsoft Project. Exploitation requires that an attacker convince the user to open a malicious file, and is possible only where the “Block macros from running in Office files from the Internet” policy is disabled — it is enabled by default — and the “VBA Macro Notification Settings” are set to a low enough level. Happily, the Preview Pane is not an attack vector in this case.
Microsoft Office: zero-day spoofing
Published last week to acknowledge its public disclosure, and patched today for all current versions of Office, CVE-2024-38200 describes a spoofing vulnerability. Exploitation requires that the user click a malicious link. Although the advisory doesn’t describe the impact, the weakness is CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and the FAQ mentions outgoing NTLM traffic; reading between the lines, it’s highly likely that NTLM hashes are exposed upon successful exploitation.
The advisory suggests mitigating factors which may already apply, or which may prove helpful to improve security posture: adding users to the Protected Users Security Group, which prevents the use of NTLM authentication, and blocking outbound SMB connections to port 445. Both of these mitigation measures may break legacy authentication in some scenarios.
Line Printer Daemon (LPD) vulnerabilities are like buses: you wait ages for one, and then two come along in quick succession. Last month’s denial of service vulnerability is now joined by CVE-2024-38199, a publicly-disclosed RCE vulnerability. Exploitation requires that an attacker sends a malicious print task to a shared vulnerable Windows Line Printer Daemon service across the network. Many admins won’t need to worry about this vulnerability, since Microsoft has been encouraging everyone to migrate away from LPD for almost a decade, and it isn’t installed by default on Windows products newer than Server 2012. Still, patches are available for Windows Server 2008 SP2, Server 2022 23H2, and everything in between.
Windows TCP/IP IPv6: critical RCE
Some vulnerabilities are described as remote code execution, but require the user to click a dodgy link or open a malicious file. However, this isn't the case for CVE-2024-38063, which describes an integer underflow/wraparound in the Windows IPv6 stack. The advisory states that an attacker can achieve RCE by repeatedly sending IPv6 packets, including specially crafted packets, to a Windows asset.
With a base CVSSv3 score of 9.8, the only thing saving CVE-2024-38063 from a perfect 10 is the lack of scope change, but since successful exploitation will presumably lead to RCE with SYSTEM privileges, that might be an academic distinction. All versions of Windows are affected, unless the IPv6 stack — which is enabled by default — has been disabled. Note that unbinding the IPv6 stack from a network interface is not the same thing as disabling IPv6 on the asset altogether.
A detailed Rapid7 analysis of CVE-2024-38063 is available on AttackerKB, including a discussion of attacker value, and observations based on patch diffs. This analysis draws an important distinction between triggering the vulnerability at all vs. successfully achieving remote code execution, since the latter is typically much more difficult than simply causing an integer underflow to occur at all. The Windows kernel employs numerous techniques to frustrate memory corruption attacks; older Windows products offer fewer protections than the most recent ones, and remain vulnerable at least as far back as Server 2008.
The best protection at this time is to apply the official patch from Microsoft. If this is not possible, disabling IPv6 on the network adapter is the next best mitigation. Organizations can also evaluate if ingress IPv6 traffic is necessary on their networks.
CVE-2024-38063 doesn’t necessarily demonstrate anything concrete about IPv6 security, since it is not a protocol bug, but rather a vulnerability in Microsoft’s implementation of the IPv6 protocol stack. This means Linux and other systems using IPv6 would be entirely unaffected.
It is always useful to reduce attack surface where possible, especially when removing or disabling features that may expose a users to vulnerabilities in tech stacks that are not directly leveraged by those users. In the case of IPv6, the majority of consumer Windows users will likely have no need for IPv6, and their networks will most likely still be using IPv4 exclusively. This may not be true in a corporate environment, where IPv6 may be required, so disabling the protocol might not be possible in some environments.
SharePoint & Exchange update
As something of an olive branch for defenders who may now be eyeing their to-do list with concern, Microsoft has not published any SharePoint or Exchange vulnerabilities this month. Microsoft lifecycle update
All versions of Visual Studio for Mac retire on 2024-08-31 and will no longer receive any further updates — including security patches — after that date. The URL seems to anticipate that some people will have questions: https://learn.microsoft.com/en-us/visualstudio/mac/what-happened-to-vs-for-mac. Microsoft suggests the C# Dev Kit for Visual Studio Code as one possible alternative.