Microsoft fixes 6 zero-days under active attack
August 2024 Patch Tuesday is here, and Microsoft has delivered fixes for 90 vulnerabilities, six of which have been exploited in the wild as zero-days, and four are publicly known.
The zero-days under attack
CVE-2024-38178 is a Scripting Engine Memory Corruption Vulnerability that could lead to remote code execution. Reported by AhnLab and South Korea’s National Cyber Security Center (NCSC), the flaw can be successfully exploited only if the target uses Microsoft Edge in Internet Explorer Mode.
This attack requires an authenticated client (user) to click on a specially crafted URL for an unauthenticated attacker to initiate remote code execution, Microsoft says.
“While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration,” says Kevin Breen, Senior Director Cyber Threat Research at Immersive Labs.
CVE-2024-38106 is a bug in the Windows Kernel that could be exploited by attackers to gain SYSTEM privileges. To exploit the vulnerability, the attacker must win a race condition – a non-trivial endeavor – but as Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative noted, some races are easier to run than others.
“It’s times like this where the CVSS can be misleading. Race conditions do lead to complexity high in the CVSS score, but with attacks in the wild, it’s clear this bug is readily exploitable,” he added.
CVE-2024-38107 is another bug that allows privilege escalation, and it’s found in Windows Power Dependency Coordinator, which helps Windows devices to wake from “sleep” instantly. The exploitation vector is “local”, so either an attacker can access the target system locally, or can trick the user into performing the actions required. Unfortunately, Microsoft does not offer more details about the in-the-wild exploitation.
CVE-2024-38193, found in Windows Ancillary Function Driver for WinSock, can also lead to privilege escalation and can also only be exploited “locally”. Again, Microsoft does not offer any specific details, but the identity of the reporters – Luigino Camastra and Martin a Milánek with Gen Digital (i.e., its subsidiary Avast) – may point to the goal of the attack: malware execution with SYSTEM privileges.
CVE-2024-38213 allows attackers to bypass the Windows SmartScreen, which is triggered by a Windows Mark of the Web “flag” added to files downloaded from untrusted locations (e.g., the internet). “An attacker must send the user a malicious file and convince them to open it,” Microsoft says, and this is obviously happening in the wild.
“This vulnerability is not exploitable on its own and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites,” says Breen.
Peter Girnus, a researcher with Trend Micro who flagged this bug, is expected to reveal more about it and possibly by the attacks exploiting it on Thursday.
Finally, CVE-2024-38189 is a vulnerability in Microsoft Project that can be triggered by tricking targets into opening a specially crafted Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled.
The vulnerability could allow attackers to achieve remote code execution on the host, Microsoft warns.
“It’s definitely odd to see a code execution bug in Project, but not only do we have one here, it’s being exploited in the wild. For the most part, this is your typical open-and-own bug, but in this case, the target allows macros to run from the internet,” Childs commented.
“This is not dissimilar to many common phishing attacks where threat actors will name their weaponised documents to play on human social behaviors, socially engineering them into opening the file. Examples include fake invoices, internal salary documents, and even thematic lures for individuals in more targeted attacks,” Breen pointed out.
The publicly known vulnerabilities
CVE-2024-38200, a spoofing vulnerability affecting Microsoft Office unearthed by Jim Rush of PrivSec Consulting and Metin Yunus Kandemir with Synack’s Red Team, may allow attackers to grab and relay the target’s NTLM hash.
An alternative fix has already been put in place by Microsoft, but users are advised to implement the final one released today.
CVE-2024-21302, an EoP flaw in Windows Secure Kernel Mode, and CVE-2024-38202, an EoP in the Windows Update Stack, were revealed by SafeBreach researcher Alon Leviev at Black Hat last week.
They can be leveraged for a covert downgrade attack, making vulnerable Windows machine even more vulnerable by reintroducing previously mitigated vulnerabilities.
CVE-2024-21302 has a fix (sort of), which includes deploying a Microsoft-signed revocation policy. A fix for CVE-2024-38202 is still in the works, but mitigations have been outlined.
CVE-2024-38199 is a use-after-free flaw in the Windows Line Printer Daemon (LPD) Service that can be exploited by an unauthenticated attacker sending a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network.
“Successful exploitation could result in remote code execution on the server,” Microsoft says, but the good news is that LDP has been deprecated for over 10 years and – more importantly – it is not installed or enabled on the systems by default. Still, if you are running LPD, definitely treat this as a Critical update, Childs advised.
The Mark of the Web bypass that has been used for years by attackers to avoid Windows SmartScreen and Smart App Control has not been fixed this time around.
To wrap it up, let’s mention that several of the critical vulnerabilities fixed that require no action from customers to resolve.
This group includes two server-side request forgery (SSRF) flaws discovered by Tenable researchers, one (CVE-2024-38206) in Microsoft’s Copilot Studio (an AI-powered chatbot) that could lead to information disclosure, and the other (CVE-2024-38109) affecting Azure Health Bot, which can be abused to escalate privileges and access cross-tenant resources.
UPDATE (August 14, 2024, 05:53 a.m. ET):
The number of exploited and public vulnerabilities has somewhat obscured the importance of a quick implementation of the patch for CVE-2024-38063.
CVE-2024-38063 is a critical flaw in Windows TCP/IP that could allow remote code execution on Windows and Windows Server machines that have IPv6 enabled.
“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” Microsoft says, and assesses that the vulnerability is more likely to be exploited, because “exploit code could be created in such a way that an attacker could consistently exploit this vulnerability,” and because “Microsoft is aware of past instances of this type of vulnerability being exploited.”
IPv6 support is enabled by default on Windows and Windows Server machines and, in general, Microsoft advises against disabling it – especially on the latter.
The reporter of the vulnerability – Xiao Wei at Cyber KunLun’s KunLun Lab – says that “the bug triggers before [local firewall] handling the packet,” which means that blocking IPv6 on it won’t help against exploits. Another reason to patch this bug quickly!