Microsoft Releases Security Updates Addressing 90 Vulnerabilities, Including 6 Zero-Days

Microsoft has issued security updates addressing 90 vulnerabilities, including 10 classified as zero-day vulnerabilities. Notably, 6 of these zero-day vulnerabilities have already been exploited in active attacks.

Out of the 90 vulnerabilities, 7 are rated as Critical, 79 as Important, and one is of moderate severity. These updates follow 36 vulnerabilities patched in Microsoft’s Edge browser since the beginning of last month.

Highlighted Zero-Day Vulnerabilities

Among the six zero-day vulnerabilities, here are the key ones:

• CVE-2024-38189 (CVSS score: 8.8) – Microsoft Project Remote Code Execution Vulnerability
• CVE-2024-38178 (CVSS score: 7.5) – Windows Scripting Engine Memory Corruption Vulnerability
• CVE-2024-38193 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2024-38106 (CVSS score: 7.0) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-38107 (CVSS score: 7.8) – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
• CVE-2024-38213 (CVSS score: 6.5) – Windows Mark of the Web Security Feature Bypass Vulnerability

Key Vulnerabilities Exploited in the Wild

One of the critical vulnerabilities, CVE-2024-38213, allows attackers to bypass SmartScreen protections by convincing users to open a malicious file. Peter Girnus from Trend Micro discovered this vulnerability, suggesting it could bypass protections from previously exploited vulnerabilities like CVE-2024-21412 or CVE-2023-36025, which were used by DarkGate malware operators.

You might be interested in: Hackers Exploit Roundcube Webmail Flaws

Given these exploits, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with a mandate that federal agencies apply the patches by September 3, 2024.

Publicly Known Vulnerabilities

Four other vulnerabilities have been publicly disclosed:

• CVE-2024-38200 (CVSS score: 7.5) – Microsoft Office Spoofing Vulnerability
• CVE-2024-38199 (CVSS score: 9.8) – Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
• CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
• CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability

According to Scott Caveza from Tenable, CVE-2024-38200 could enable attackers to steal NTLM hashes from victims, facilitating more severe attacks like NTLM relay or pass-the-hash.

Additionally, Microsoft patched a privilege escalation flaw in the Print Spooler component (CVE-2024-38198), which could allow attackers to gain SYSTEM privileges.

Unpatched Vulnerabilities and Vendor Responses

Microsoft has not yet released patches for CVE-2024-38202 and CVE-2024-21302, which could potentially be used to downgrade the Windows update process, replacing newer system files with older versions.

In response to a denial-of-service (DoS) vulnerability in the Common Log File System (CLFS) driver (CVE-2024-6768), Microsoft stated that the issue does not meet the criteria for immediate action but may be addressed in future updates. This vulnerability could cause system crashes, leading to a Blue Screen of Death (BSOD) scenario.

Microsoft advises users to maintain good security practices, such as avoiding running untrusted programs, to mitigate potential risks.

Third-Party Software Updates

Other vendors have also released security patches recently, including Adobe, Apple, Cisco, Google, HP, Intel, SAP, and many others. These updates cover a wide range of vulnerabilities across various platforms, highlighting the importance of keeping all systems up-to-date to ensure security.

Keeping software updated is crucial, as these patches close off vulnerabilities that could otherwise be exploited by attackers.