Microsoft Fixes Four Actively Exploited Zero-Days

Written by

Microsoft heaped more work onto sysadmins this week after fixing four zero-day vulnerabilities being actively exploited in the wild.

First on the list is CVE-2024-43491 – a CVSS 9.8 remote code execution (RCE) bug in Microsoft Windows Update which requires no privileges or user interaction, and of low attack complexity.

“This vulnerability emerged due to a rollback of fixes for certain previously mitigated vulnerabilities following the installation of security updates from March to August 2024,” explained Action1 president, Mike Walters. “This rollback inadvertently occurred due to a code defect in the servicing stack triggered by build version numbers.”

Next is CVE-2024-38014, an “important”-rated elevation of privilege (EoP) vulnerability that stems from improper privilege management in Windows Installer.

Given the importance of Windows Installer, this could impact thousands of enterprises and millions of devices, said Walters.

“Successful exploitation grants system privileges, allowing full control over the host system, including system modifications, arbitrary software installations and potentially disabling security measures,” he added.

“When combined with other attack vectors, this EoP vulnerability can enable sophisticated and damaging intrusion campaigns, allowing attackers to potentially navigate through defenses and achieve administrative control.”

Read more on Microsoft zero-days: Microsoft Fixes Four Zero-Days in July Patch Tuesday

Third on the zero-day list is CVE-2024-38217, the only one this month to have been publicly disclosed. Although disclosed last month, this Windows Mark of the Web (MoTW) security feature bypass vulnerability may have been exploited since 2018.

Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit, explained that similar MoTW bypasses have been linked to ransomware attacks in the past.

“This vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources,” he added.

“Given the exploit’s public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks. Enterprises must prioritize patch management and educate users on the risks of downloading files from untrusted sources to mitigate the exploitation of such vulnerabilities.”

The final zero-day addressed in this month’s Patch Tuesday is CVE-2024-38226 – a Microsoft Publisher security feature bypass bug, which allows threat actors to circumvent security protections against embedded macros in downloaded documents.

Unusually, Microsoft didn’t explain how the flaw is being exploited in the wild.

Image credit: bluestork / Shutterstock.com

What’s hot on Infosecurity Magazine?