patch Tuesday header
,

Update now! August Patch Tuesday covers several zero-days

Microsoft’s August Patch Tuesday covers 90 Microsoft CVEs and includes nine actively-exploited zero-days.

Microsoft’s August Patch Tuesday covers 90 Microsoft CVEs and includes nine actively-exploited zero-days.

The Cybersecurity & infrastructure Security Agency (CISA) has added six of these CVEs to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The actively exploited CVEs from Microsoft’s August Patch Tuesday include:

  • CVE-2024-38189 (CVSS score 8.8 out of 10): Microsoft Project Remote Code Execution (RCE) vulnerability. Despite the fact that exploitation requires disabled security features, this is under active exploitation.

The Microsoft advisory about this vulnerability states:

“Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution.“

  • CVE-2024-38178 (CVSS score 7.5 out of 10): Microsoft Windows Scripting Engine Memory Corruption vulnerability. Despite the fact that the attack requires an authenticated client to click an especially crafted URL in Microsoft Edge while using Internet Explorer mode in order for an unauthenticated attacker to initiate remote code execution, this vulnerability is under active exploitation.
  • CVE-2024-38213 (CVSS score 6.5 out of 10): Microsoft Windows SmartScreen Security Feature Bypass vulnerability. An attacker must send the user a malicious file and convince them to open it. Successful exploitation of this vulnerability could bypass the SmartScreen user experience. The flaw allows malware to leapfrog past the Mark of the Web (MotW) feature that alerts users when a file comes from an untrusted source.
  • CVE-2024-38193 (CVSS score 7.8 out of 10): Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation vulnerability. The WinSock application programming interface (API) uses the Ancillary Function Driver (AFD) to gain an entry point through which the Kernel can be accessed. This flaw puts the Winsock API in a vulnerable state, which a successful attacker can use to gain SYSTEM privileges on an unpatched machine.
  • CVE-2024-38106 (CVSS score 7.0 out of 10): Microsoft Windows Kernel Privilege Escalation vulnerability. Successful exploitation of this vulnerability requires an attacker to win a race condition that could gain SYSTEM privileges. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Microsoft says the vulnerability has a high attack complexity; nevertheless, it’s actively exploited.
  • CVE-2024-38107 (CVSS score out of 10): Use-after-free vulnerability in Microsoft Windows Power Dependency Coordinator that could lead to privilege escalation. Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. In this case, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Another interesting vulnerability is CVE-2024-38200, an Office spoofing vulnerability, which we discussed separately.

Other vendors

Adobe released 11 security bulletins addressing at least 71 security vulnerabilities across a range of products, including Adobe Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, and Substance 3D Sampler/Substance 3D Designer.

Google released patches for 46 vulnerabilities in Android, including a remote code execution (RCE) vulnerability that it says has been used in limited, targeted attacks.

FreeBSD Project received security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges.

The so-called 0.0.0.0-day has been patched for Chrome, Safari, and Firefox.