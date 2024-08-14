Microsoft addressed six zero-days that were actively exploited on August Patch Tuesday. Admins should have little difficulty getting most of them addressed quickly.

Microsoft released updates for 83 new CVEs in its software products and republished 12 non-Microsoft CVEs on August Patch Tuesday. This month's patch release also addressed seven previously released vulnerabilities that required additional updates. More than half of the vulnerabilities affect the Windows operating system.

"The Windows OS is where five of the six zero-day vulnerabilities are and one of the two public disclosures, so that simplifies things for most people," said Chris Goettl, vice president of security product management at Ivanti, to TechTarget Editorial. "You have to get the OS update done and then the Microsoft Office update, and you've taken care of the majority of your risk in one easy swoop."

The first zero-day is a Microsoft Project remote-code execution vulnerability (CVE-2024-38189) rated important with a CVSS score of 8.8 that affects all Microsoft Office editions. The attack requires the victim to open a malicious Project file and have certain Office macro protections disabled to let the attacker remotely execute code.

"If organizations are not controlling the policies on devices, such as a BYOD situation, and have these types of settings configured properly, then an attacker could exploit this vulnerability," Goettl said.

The next zero-day is Windows Power Dependency Coordinator elevation-of-privilege vulnerability (CVE-2024-38107) rated important with a CVSS score of 7.8. This bug affects all currently supported versions of Windows Server and desktop systems. The exploit depends on user interaction and requires them to click on a specially crafted URL.

The next zero-day is a Windows Kernel elevation-of-privilege vulnerability (CVE-2024-38106), rated important with a CVSS ranking of 7.0, that affects several Windows Server and desktop versions. The exploit requires the threat actor to win a race condition, which would then give the attacker system privileges or complete control of the device.

The next zero-day is a Windows Mark-of-the-Web (MOTW) security feature bypass vulnerability (CVE-2024-38213), rated moderate with a 6.5 CVSS score. MOTW is a protection in Windows that indicates content came from outside the local trusted network, such as the internet. The attacker can bypass the SmartScreen user experience, which has several built-in security capabilities, by sending the user a malicious file and convincing them to open it.

"Even though it's rated moderate, because there are attacks in the wild that have taken advantage of this, that's when risk-based prioritization overtakes the vendor severity rating," Goettl said.

The next zero-day is CVE-2024-38193, a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability, rated important with a CVSS rating of 7.8. This flaw affects all Windows desktop systems and the server OS going back to Windows Server 2008.

An attacker must be on the local network but does not need user interaction. A successful exploit would give the threat actor system privileges or complete ownership of the targeted system.

The last zero-day is a Scripting Engine memory corruption vulnerability (CVE-2024-38178), rated important with a CVSS score of 7.5. This flaw requires an authenticated user to click a specially crafted link while in Internet Explorer mode in the Microsoft Edge browser to initiate the remote-code execution.

Goettl said once an attacker got a basic level of permissions on a system, they could create a link on the user's desktop that they could click.

"It's more of a statistical game than a real challenge for these threat actors," Goettl said.