Microsoft Patch Tuesday-August 2024

Microsoft patched 90 CVEs in its August 2024 Patch Tuesday release, with seven rated critical, 82 rated as important, and one rated as moderate.

This includes updates for vulnerabilities in Microsoft Office and Components, Microsoft Windows DNS, Windows TCP/IP, Microsoft Teams, Windows Secure Boot, Windows Secure Kernel Mode, Windows Security Center, Windows SmartScreen, Windows App Installer, Windows Scripting, and more.

Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Cross-site Scripting (XSS), Information Disclosure, Security Feature Bypass, and Remote Code Execution (RCE).

Microsoft Copilot Studio Information Disclosure Vulnerability

CVE-2024-38206 is a critical severity information disclosure vulnerability with a CVSSv3 score of 8.5  affecting Microsoft’s Copilot Studio, an AI-powered chatbot. This vulnerability abused by an authenticated attacker to bypass server-side request forgery (SSRF) protections in order to leak potentially sensitive information. The vulnerability was released by Microsoft on August 6, with the advisory noting that no user action is required as the issue has been patched by Microsoft.

Azure Health Bot Elevation of Privilege Vulnerability

CVE-2024-38109 is a critical severity EoP vulnerability with a CVSSv3 score of 9.1 affecting Azure Health Bot. This vulnerability stems as a result of a SSRF vulnerability in Azure Health Bot that can be abused to escalate privileges. The issue has been patched by Microsoft and no action is required for users of the Health Bot service.

Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-38106, CVE-2024-38133 and CVE-2024-38153 are EoP vulnerabilities affecting the Windows Kernel. CVE-2024-38133 and CVE-2024-38153 has a CVSSv3 scores of 7.8, while CVE-2024-38106 has a CVSSv3 score of 7. The exploitability requirements of the attacker needing to win a race condition for successful exploitation, CVE-2024-38106 was reportedly exploited in the wild as a zero-day. CVE-2024-38133 and CVE-2024-38153 were not listed as being exploited, Successful exploitation of these vulnerabilities could allow the attacker to elevate privileges to SYSTEM.

Windows Power Dependency Coordinator Elevation of Privilege Vulnerability

CVE-2024-38107 is an EoP Vulnerability with a CVSSv3 score of 7.8 affecting Windows Power Dependency Coordinator (pdc.sys), a driver responsible for power management on a Windows system. This vulnerability was exploited in the wild as a zero-day, though no specific details about exploitation were available at the time this blog was published.

Scripting Engine Memory Corruption Vulnerability

CVE-2024-38178 is a Scripting Engine memory corruption vulnerability with a CVSSv3 score of 7.5  in Windows Scripting. An authenticated victim must have Edge in Internet Explorer Mode as a prerequisite for exploitation prior to an unauthenticated attacker convincing the victim to click a specially crafted URL to obtain RCE.

Microsoft Project Remote Code Execution Vulnerability

CVE-2024-38189 is a RCE vulnerability with a CVSSv3 score of 8.8 affecting Microsoft Project, a project management tool and was exploited in the wild. Exploitation requires an unsuspecting victim to open a crafted Microsoft Office Project file. Additionally, the system must be configured to have the “Block macros from running in Office files from the Internet policy” disabled as well as have the VBA Macro Notification Settings disabled in order for a successful attack. Microsoft’s advisory does clarify that the Preview Pane is not an attack vector for this vulnerability and offers mitigation options to protect systems if immediate patching cannot be immediately performed.

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2024-38141 and CVE-2024-38193 are EoP vulnerabilities with a CVSSv3 scores of 7.8 affecting the Windows Ancillary Function Driver for Winsock (afd.sys). These can allow an attacker to escalate privileges to SYSTEM. CVE-2024-38141 is rated as “Exploitation More Likely” and CVE-2024-38193 was reported to have been exploited in the wild as a zero-day vulnerability.

Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38213 is a security feature bypass vulnerability with an assigned CVSSv3 score of 6.5. Exploitation of this vulnerability requires a user to open a specially crafted file, which could be hosted on a file server, website or sent via a phishing email. If the attacker is successful in convincing a victim to open this file, they could bypass the Windows SmartScreen user experience. Microsoft has flagged this as “Exploitation Detected” as they are aware of an instance of this vulnerability being exploited.

Windows Update Stack Elevation of Privilege Vulnerability

CVE-2024-38163 and CVE-2024-38202 are both EoP vulnerabilities in Windows Update Stack and were assigned CVSSv3 scores of 7.8 and 7.3 respectively. CVE-2024-38163, if successfully exploited could result in gaining SYSTEM privileges. Microsoft has noted that users don’t need to take any action for this vulnerability as it is only exploitable at run time and the impacted version of WinRE has been superseded by a new version.

CVE-2024-38202 vulnerability which exists in Windows Backup, allows a user with basic privileges to “reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)”. This vulnerability resides in the Windows Update mechanism that could allow unauthorized elevation of privileges by enforcing the downgrade of system components. This vulnerability exposes systems to previously patched exploits, making them susceptible to attacks that could leverage these old vulnerabilities. Microsoft has noted that an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful.

Windows TCP/IP Remote Code Execution Vulnerability

CVE-2024-38063 is a critical RCE vulnerability affecting Windows TCP/IP with a CVSSv3 score of 9.8. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. Microsoft’s mitigation suggestions suggest disabling IPv6 as only IPv6 packets can be abused to exploit this vulnerability.

Microsoft Office Spoofing Vulnerability

CVE-2024-38200 is a spoofing vulnerability affecting Microsoft Office with a CVSSv3 score of 6.5. An attacker could leverage this vulnerability with a specially crafted file that a victim would need to interact with. This could be achieved by hosting it on a file server or website and convincing the victim to click on the file or similarly it could be included in a phishing email. Successful exploitation of the vulnerability could result in the victim exposing NTLM hashes to a remote attacker.

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVE-2024-21302 and CVE-2024-38142 are both elevation of privilege vulnerabilities in Windows Secure Kernel . CVE-2024-21302 carries a CVSSv3 score of 6.7 and CVE-2024-38142 a score of 7.8 with successful exploitation of either of these vulnerabilities resulting in an attacker gaining SYSTEM privileges.

Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

CVE-2024-38199 is a RCE vulnerability with a CVSSv3 score of 9.8 in Windows Line Printer Daemon (LPD) Service. A remote attacker could exploit this across a network by dispatching a specially crafted print task to Windows LPD Service, if successful it would result in RCE on the server. Microsoft has also noted that it was publicly disclosed prior to a patch being available.

Patch Tuesday Summary