Microsoft Fixes Nine Zero-Days on Patch Tuesday

Written by

Microsoft fixed nine zero-day vulnerabilities on its August Patch Tuesday yesterday, including six that have been exploited in the wild.

These include a Windows Mark of the Web (MotW) security feature bypass bug (CVE-2024-38213), which is similar to a SmartScreen bypass published in February.

“An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW,” explained Rapid7 lead software engineer, Adam Barnett.

The other actively exploited zero-days fixed by Microsoft are:

  • CVE-2024-38178: A scripting engine memory corruption vulnerability which requires an attacker to trick a user to click a malicious link and ensure they are using Edge in Internet Explorer mode
  • CVE-2024-38193: A Windows ancillary function driver for WinSock elevation of privilege (EoP) vulnerability which requires low attack complexity and no user interaction, and could grant system privileges for attackers
  • CVE-2024-38106: A Windows Kernel EoP flaw which requires an attacker to win a race condition
  • CVE-2024-38107: A Windows Power Dependency Coordinator EoP bug which requires no user interaction, low privileges and has low attack complexity
  • CVE-2024-38189: A Microsoft Project remote code execution (RCE) vulnerability which requires security features to be disabled for exploitation

Microsoft also fixed three zero-days that have been publicly disclosed but are not actively exploited: CVE-2024-38199 is an RCE bug in Windows Line Printer Daemon; CVE-2024-21302 is an EoP flaw in Windows Secure Kernel Mode; and CVE-2024-38200 is a Microsoft Office spoofing vulnerability.

A fourth, CVE-2024-38202, is a Windows Update Stack EoP bug for which Microsoft is still working on a patch.

“Patch Tuesday-watchers will know that today’s haul of four publicly disclosed vulnerabilities and six further exploited-in-the-wild vulnerabilities is a much larger batch than usual,” warned Barnett.

All six exploited bugs have been added to the CISA Known Exploited Vulnerability (KEV) database, requiring US federal agencies to patch before September 3.

Read more on Patch Tuesday: Microsoft Fixes Four Zero-Days in July Patch Tuesday

Image credit: Andrew Sozinov / Shutterstock.com

What’s hot on Infosecurity Magazine?