Microsoft releases a patch that fixes 90 flaws

Microsoft has released Tuesday updates to resolve a total of 90 security vulnerabilitiesincluding 10 zero-days, six of which are already actively exploited in the wild.

All the critical (and non-critical) bugs fixed by Microsoft this month

Of the 90 bugs, seven are classified as Critical, 79 as Important and one as Moderate in terms of severity; this is in addition to the 36 vulnerabilities which the tech giant has been fixing in its Edge browser since last month.

The Patch Tuesday updates are particularly relevant for addressing six actively exploited zero-days:

• CVE-2024-38189 (CVSS Score: 8.8) – Remote Code Execution Vulnerability in Microsoft Project
• CVE-2024-38178 (CVSS Score: 7.5) – Memory Corruption Vulnerability in Windows Scripting Engine
• CVE-2024-38193 (CVSS Score: 7.8) – Elevation of Privilege Vulnerability in Windows Helper Driver for WinSock
• CVE-2024-38106 (CVSS Score: 7.0) – Elevation of Privilege Vulnerability in Windows Kernel
• CVE-2024-38107 (CVSS Score: 7.8) – Elevation of Privilege Vulnerability in Windows Power Dependency Coordinator
• CVE-2024-38213 (CVSS Score: 6.5) – Windows “Mark of the Web” Security Feature Bypass Vulnerability

Microsoft Windows SmartScreen Problems

CVE-2024-38213, which allows attackers to bypass SmartScreen protections, requires an attacker to send a user a malicious file and convince them to open it; the discovery and reporting of this vulnerability is attributed to Peter Girnus of Trend Micro, suggesting that it could be a bypass for CVE-2024-21412 or CVE-2023-36025previously exploited by the operators of the DarkGate malware.

This development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add vulnerabilities to its catalog of known exploited vulnerabilities (KEV), requiring federal agencies to implement corrections by September 3 2024.

More Microsoft fixes on the horizon

Four of the following CVEs are listed as publicly known:

• CVE-2024-38200 (CVSS Score: 7.5) – Microsoft Office Spoofing Vulnerability
• CVE-2024-38199 (CVSS score: 9.8) – Remote code execution vulnerability in Windows Line Printer Daemon (LPD) service
• CVE-2024-21302 (CVSS Score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability
• CVE-2024-38202 (CVSS Score: 7.3) – Elevation of Privilege Vulnerability in Windows Update Stack

“An attacker could exploit this vulnerability by tricking a victim into accessing a specially crafted file, possibly via a phishing email.“, said Scott Caveza, Tenable research engineer, regarding CVE-2024-38200, adding: “Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further extend the attacker’s position within an organization..”

The update also addresses a privilege escalation vulnerability in the Print Spooler component (CVE-2024-38198CVSS score: 7.8), which allows an attacker to gain SYSTEM privileges. “Successful exploitation of this vulnerability requires an attacker to win a race condition.“, Microsoft said.

That said, Microsoft has not yet released updates for CVE-2024-38202 and CVE-2024-21302, which could be abused to orchestrate downgrade attacks against the Windows update architecture and replace current versions of operating system files with older versions.

The disclosure follows a relationship Fortra on a denial-of-service (DoS) vulnerability in the Common Log File System driver (CLFS) (CVE-2024-6768, CVSS score: 6.8) which may cause a system crash, resulting in a Blue Screen of Death (BSoD).

When contacted for comment, a Microsoft spokesperson said the issue “does not meet the requirements for immediate service according to our severity classification guidelines and we will consider this for a future product update.”

“The technique described requires that an attacker has already acquired code execution capabilities on the target machine and does not grant elevated permissions. We encourage customers to practice good online computing habits, including exercising caution when running programs that are not recognized by the user.“, added the spokesperson.

Software patches from other vendors

In addition to Microsoft, other vendors that “adapt” to the Redmond giant’s patches have recently released security updates to correct various vulnerabilities, including: