Microsoft has released the monthly round of Patch Tuesday security updates, with fixes for a total of 90 vulnerabilities across the Windows ecosystem. Of these, the Microsoft Security Response Center warns that five Windows vulnerabilities have confirmed and active cyber attacks against them already. So serious are these zero-day security issues that the U.S. Cybersecurity and Infrastructure Security Agency has added all of them to the Known Exploited Vulnerabilities Catalog with an update compliance date of September 3.
Prioritize Vulnerability Patching To Keep Pace With Threat Activity
While the CISA due date of September 3, or three weeks after the Windows zero-day vulnerabilities are added to the KEV catalog, applies to certain federal civilian executive branch agencies under U.S. Government Binding Operational Directive 22-01, that doesn’t let everyone else, including you, off the hook. CISA said that the KEV catalog is published for the benefit of “the cybersecurity community and network defenders,” and to help “every organization better manage vulnerabilities and keep pace with threat activity.” In other words, in order to reduce your exposure to cyber attack, all organizations, and consumers for that matter, should pay attention to updating their systems to mitigate known vulnerabilities. For most consumers that simply means ensuring that the latest Patch Tuesday security updates have been applied in full, but for organizations which are required to test any update before applying it to live systems, dare I mention CrowdStrike blue screens of death, it means taking note of KEV entries as part of their patch management prioritzation process.
The Five August 2024 Windows Zero-Day Vulnerabilities Explained
CVE-2024-38178 is a Windows scripting engine memory corruption vulnerability which could allow an attacker to initiate remote code execution on the affected system. This zero-day is rated 7.6 with a severity of important, affecting Windows 10, Windows 11 as well as Windows Server 2012 and later. “The attacker would need to prepare the target so that it would use Edge in Internet Explorer Mode to execute a specially crafted file,” Chris Goettl, vice president of security product management at Ivanti, said, “risk-based guidance would treat this update as a higher severity than important and to remediate as soon as possible.”
CVE-2024-38213 is a Windows ‘Mark of the Web’ security feature bypass vulnerability that could enable an attacker to bypass SmartScreen user protection on Windows 10, Windows 11 as well as Windows Server 2012 and later. “This feature is designed as an extra layer of defence-in-depth by marking files that are downloaded from the internet as untrusted,” Kev Breen, senior director cyber threat research at Immersive Labs, said. “This vulnerability is not exploitable on its own,” Breen advised, “and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites.”
CVE-2024-38193 is an elevation of privilege vulnerability in the Windows ancillary function driver for WinSock, affecting Windows 10, Windows 11 and Windows Server 2008 and later. “Successful exploitation is via a use-after-free memory management bug, and could lead to SYSTEM privileges,” Adam Barnett, lead software engineer with Rapid7, said. “The advisory doesn’t provide further clues, but with existing in-the-wild exploitation, low attack complexity, no user interaction involved, and low privileges required, this is one to patch immediately to keep malware at bay.”
CVE-2024-38106 is a Windows kernel elevation of privilege vulnerability affecting Windows 10, Windows 11 and Windows Server 2016 and later. “This vulnerability arises when sensitive data is stored in memory that lacks adequate protection,” Mike Walters, president and co-founder of Action1, said, “permitting a low-privileged attacker to manipulate the memory content and escalate their privileges to the SYSTEM level.” The good news is that there is quite a challenge in exploiting this one, that being “the necessity to exploit the race condition with precise timing,” Walters said, “aiming to gain control over the memory before it is securely locked or accessed.”
CVE-2024-38107 is a use-after-free elevation of privilege vulnerability affecting the Windows power dependency coordinator. Impacting Windows 10, Windows 11 and Windows 2012 or later, this zero-day vulnerability “occurs when a program continues to use a pointer to memory after it has been freed,” Walters said, “potentially leading to arbitrary code execution or system control.” An attacker would need local access to the target machine, with low privileges, but the impacts of successful exploitation are significant according to Walters: “This elevated access could be used to disable security mechanisms, deploy additional malware, or facilitate lateral movement within the network.”
