Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update

Attackers are actively exploiting as many as six of the 90 vulnerabilities that Microsoft disclosed in its security update for August, making them a top priority for administrators this Patch Tuesday.

Another four CVEs in Microsoft's update were publicly known before the Aug. 13 disclosure, which also make them zero-days of a sort, even though attackers have not yet begun exploiting them. Among them, an elevation of privilege (EoP) bug in Windows Update Stack, tracked as CVE-2024-38202, is particularly troubling because Microsoft does not yet have a patch for it.

Unpatched Zero-Day

The unpatched flaw allows an attacker with "basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)," according to Microsoft. The company has assessed the bug as being only of moderate severity because an attacker would need to trick an administrator or user with delegated permissions into performing a system restore.

However, Scott Caveza, staff research engineer at Tenable, says that if an attacker were to chain CVE-2024-38202 with CVE-2024-21302 (an EoP flaw in the current update that affects Windows Secure Kernel), they would be able to roll back software updates without the need for any interaction with a privileged user. "CVE-2024-38202 does require 'additional interaction by a privileged user,' according to Microsoft," he says. "However, the chaining of CVE-2024-21302 allows an attacker to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges." 

Caveza says each vulnerability can be exploited separately, but when combined, they could potentially have a more significant impact. 

In all, seven of the bugs that Microsoft disclosed this week are rated as critical. The company rated 79 CVEs — including the zero-days that attackers are actively exploiting — as "Important," or of medium severity, because they involve some level of user interaction or other requirement for an attacker to exploit. "While this isn't the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), in a blog post.

Zero-Days Under Active Exploit

Two of the vulnerabilities under active attack enable remote code execution (RCE) on affected systems. One of them, CVE-2024-38189, affects Microsoft Project Remote Code and impacts organizations that have disabled the VBA Macro Notification Settings on their systems. In these situations, an attacker could execute arbitrary code remotely if they are able to convince a user to open a malicious Microsoft Office Project file. "It's definitely odd to see a code execution bug in Project, but not only do we have one here, it's being exploited in the wild," Childs said. "For the most part, this is your typical open-and-own bug, but in this case, the target allows macros to run from the Internet."

The other zero-day RCE in Microsoft's latest update is CVE-2024-38178, a memory corruption vulnerability in Windows Scripting Engine Memory or Script Host. "Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode: The user would have to click on a specially crafted URL to be compromised by the attack," Microsoft said.

Kev Breen, senior director of threat research at Immersive Labs, said while IE is not the default mode for most users currently, the fact that attackers are actively exploiting the flaw suggests that there are organizations using this configuration. "Internet Explorer Mode is used where old websites or applications were built specifically for Internet Explorer and are not supported by modern HTML5 browsers like Chromium-based browsers," Breen said in an emailed statement. "For these sites and applications, organizations or users can enable this legacy mode to maintain compatibility with these applications," and thus could be at risk via the newly disclosed flaw.

Three of the zero-days in this update that attackers are actively exploiting — CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 — enable an attack to elevate privileges to system admin status.

Among them, CVE-2024-38106 is especially serious because it exists in the Windows Kernel. "The fundamental issue with CVE-2024-38106 stems from a race condition combined with improper memory handling within the Windows Kernel," said Mike Walters, president and CEO of Action 1, in emailed comments. "Sensitive data, which should be secured in locked memory, is instead vulnerable in a region accessible and modifiable," if an attacker can win a race condition with precise timing.

CVE-2024-38107 in Windows Power Dependency and CVE-2024-38193 in Windows Ancillary Function Driver for WinSock also enable attackers to gain system-level privileges. The three EoP flaws impact different core components of the OS, Breen said. "An attacker would already need to have gained code execution on the victim machine, either through lateral movement or another exploit, for example, a malicious document," to take advantage of the flaws.

The other zero-day under active exploit is CVE-2024-38213, a flaw that allows attackers to bypass Windows Mark of the Web (MoTW) security protections. The flaw is similar to other similar vulnerabilities in MoTW and gives attackers a way to sneak malicious files and Web content into enterprise environments without having them marked as untrusted. "This vulnerability is not exploitable on its own," Breen said "and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites."