Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update


Attackers are already actively exploiting six of the bugs and four others are public, including one for which Microsoft has no patch yet.



Attackers are actively exploiting as many as six of the 90 vulnerabilities that Microsoft disclosed in its security update for August, making them a top priority for administrators this Patch Tuesday.
Another four CVEs
in Microsofts update
were publicly known before the Aug. 13 disclosure, which also make them zero-days of a sort, even though attackers have not yet begun exploiting them. Among them, an elevation of privilege (EoP) bug in Windows Update Stack, tracked as
CVE-2024-38202,
is particularly troubling because Microsoft does not yet have a patch for it.
The unpatched flaw allows an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS), according to Microsoft. The company has assessed the bug as being only of moderate severity because an attacker would need to trick an administrator or user with delegated permissions into performing a system restore.
However, Scott Caveza, staff research engineer at Tenable, says that if an attacker were to chain CVE-2024-38202 with
CVE-2024-21302
(an EoP flaw in the current update that affects Windows Secure Kernel), they would be able to roll back software updates without the need for any interaction with a privileged user. CVE-2024-38202 does require additional interaction by a privileged user, according to Microsoft, he says. However, the chaining of CVE-2024-21302 allows an attacker to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges. 
Caveza says each vulnerability can be exploited separately, but when combined, they could potentially have a more significant impact. 
In all, seven of the bugs that Microsoft disclosed this week are rated as critical. The company rated 79 CVEs — including the zero-days that attackers are actively exploiting — as Important, or of medium severity, because they involve some level of user interaction or other requirement for an attacker to exploit. While this isnt the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release, said Dustin Childs, head of threat awareness at Trend Micros Zero Day Initiative (ZDI),
in a blog post.
Two of the vulnerabilities under active attack enable remote code execution (RCE) on affected systems. One of them,
CVE-2024-38189
, affects Microsoft Project Remote Code and impacts organizations that have disabled the
VBA Macro Notification Settings
 on their systems. In these situations, an attacker could execute arbitrary code remotely if they are able to convince a user to open a malicious Microsoft Office Project file. Its definitely odd to see a code execution bug in Project, but not only do we have one here, its being exploited in the wild, Childs said. For the most part, this is your typical open-and-own bug, but in this case, the target allows macros to run from the Internet.
The other zero-day RCE in Microsofts latest update is 
CVE-2024-38178,
a memory corruption vulnerability in Windows Scripting Engine Memory or Script Host. Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode: The user would have to click on a specially crafted URL to be compromised by the attack, Microsoft said.
Kev Breen, senior director of threat research at Immersive Labs, said while IE is not the default mode for most users currently, the fact that attackers are actively exploiting the flaw suggests that there are organizations using this configuration. Internet Explorer Mode is used where old websites or applications were built specifically for Internet Explorer and are not supported by modern HTML5 browsers like Chromium-based browsers, Breen said in an emailed statement. For these sites and applications, organizations or users can enable this legacy mode to maintain compatibility with these applications, and thus could be at risk via the newly disclosed flaw.
Three of the zero-days in this update that attackers are actively exploiting —
CVE-2024-38106
,
CVE-2024-38107
, and
CVE-2024-38193
— enable an attack to elevate privileges to system admin status.
Among them, CVE-2024-38106 is especially serious because it exists in the Windows Kernel. The fundamental issue with CVE-2024-38106 stems from a race condition combined with improper memory handling within the Windows Kernel, said Mike Walters, president and CEO of Action 1, in emailed comments. Sensitive data, which should be secured in locked memory, is instead vulnerable in a region accessible and modifiable, if an attacker can win a race condition with precise timing.
CVE-2024-38107 in Windows Power Dependency and CVE-2024-38193 in Windows Ancillary Function Driver for WinSock also enable attackers to gain system-level privileges. The three EoP flaws impact different core components of the OS, Breen said. An attacker would already need to have gained code execution on the victim machine, either through lateral movement or another exploit, for example, a malicious document, to take advantage of the flaws.
The other zero-day under active exploit is
CVE-2024-38213,
a flaw that allows attackers to bypass Windows Mark of the Web (MoTW) security protections. The flaw is similar to other similar vulnerabilities in MoTW and gives attackers a way to sneak malicious files and Web content into enterprise environments without having them marked as untrusted. This vulnerability is not exploitable on its own, Breen said and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update