Patch Tuesday Roundup, August 2024

December Patch Tuesday reveals 70 vulnerabilities

Rapid7 Principal Software Engineer Adam Barnett talks about the latest vulnerabilities patched by Microsoft, and several of them are being exploited in the wild.

Microsoft is addressing 88 vulnerabilities this August 2024 Patch Tuesday. Microsoft has evidence of wild exploitation and/or public disclosure of 10 of the vulnerabilities published today (August 14), which is significantly more than usual. As of this writing, the six exploited vulnerabilities known and patched today are listed in CISA KEV. Microsoft is also patching five critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month and are not included in the total.

Patch Tuesday watchers will know that today’s haul of four publicly disclosed vulnerabilities and six more exploited vulnerabilities in the wild is a much larger haul than usual. We will first address those vulnerabilities where there is public disclosure but no patch is available: the notable Windows operating system downgrade attacks disclosed at Black Hat last week. We will then examine the vulnerabilities published today, which Microsoft knows are already exploited.

First things first: what if your patched Windows asset was suddenly unpatched, including the hypervisor? That was the question asked and answered in a Black Hat talk by Secure default last week. In response, Microsoft has published two vulnerabilities. Microsoft was first notified of these vulnerabilities in February 2024, and the advisories admit that the discussion about Black Hat was “appropriately coordinated with Microsoft.”

CVE-2024-38202 describes an elevation of privilege vulnerability in the Windows Update Stack, and its exploitation requires an attacker to convince an administrative user to perform a system restore; unusual, certainly, but social engineers can achieve many things. Microsoft optimistically assesses that exploitation of this vulnerability is less likely. The advisory does not explain how a user with basic privileges can modify the system directory of the target asset, which is necessary to install the malicious system restore files, although the SafeBreach Report explains the fault in great detail. There is no patch available yet, although the advisory indicates that a security update is being developed to mitigate this threat. Microsoft provides several recommended actions, which do not mitigate the vulnerability but can at least provide additional barriers to exploitation and establish useful additional visibility into the attack surface and exploitation attempts. A possible result of the exploit is that an attacker could modify the Integrity and Repair utility so that it no longer detects corruption of Windows system files.

CVE-2024-21302 is the second half of the pair of downgrade attacks discovered by SafeBreach. The exploit allows an attacker with administrator privileges to replace updated Windows system files with older versions and thus reintroduce vulnerabilities in Virtualization Based Security (VBS). Patches are available; However, advocates should note that the patch does not automatically repair assets, but rather provides a revocation policy signed by Microsoft, which carries the risk of a boot loop if applied and then incorrectly rolled back. Important guidance is available at KB5042562: Guide to blocking rollback of security updates related to virtualization-based security (VBS).

Moving on to known exploited vulnerabilities: Windows Helper Functions Driver for WinSock receives a patch for an elevation of privilege vulnerability exploited in the wild CVE-2024-38193. Successful exploitation occurs via a use-after-free memory management error and could result in SYSTEM privileges. The advisory provides no further clues, but with the existing exploit, low complexity of the attack, lack of user interaction, and few privileges required, this is one that should be patched immediately to keep malware at bay.

As we look at exploited in-the-wild and post-release vulnerabilities with minimalist warnings: CVE-2024-38107 also leads to SYSTEM privileges through abuse of the Windows Power Dependency Coordinator, which allows Windows computers to wake up almost instantly of the dream. Of course, nothing is free: this vulnerability requires no user interaction, has low attack complexity, and requires few privileges. Patch all your Windows assets as soon as possible.

Continuing with the topic of vulnerabilities exploited in the wild and elevated to the SYSTEM: CVE-2024-38106 requires an attacker to win a race condition that is included in CWE-591: Storing sensitive data in improperly locked memory. Although the notice for CVE-2024-38106 does not provide further details, a reasonable assumption here could be that the vulnerability could be similar to CVE-2023-36403where the exploit is based on a flaw in the way the Windows kernel handles locking to registry virtualizationwhich allows Windows to redirect global impact registry read/write operations to per-user locations to support legacy applications that do not support UAC. Curiously, Windows Server 2012 does not receive a patch for CVE-2024-38106so either the vulnerability was introduced in a later codebase or Microsoft hopes attackers don’t notice.

CVE-2024-38213 describes a Mark of the Web (MotW) security bypass vulnerability in all current Windows products. An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the Internet, which Windows would otherwise have tagged with MotW. CVE-2024-38213 likely offers less utility to attackers than a very similar SmartScreen bypass released in February 2024, since unlike the current offering, the prompt for CVE-2024-21351 He also described the possibility of code injection into the SmartScreen itself. The lower CVSSv3 base score for CVE-2024-21351 reflects that difference.

Although the Edge RCE vulnerability CVE-2024-38178 Already known to be exploited in the wild, it probably won’t top anyone’s list of biggest concerns this month. The advisory clarifies that a successful exploit would require the attacker to not only convince a user to click on a malicious link, but also first prepare the target asset to use Edge in Internet Explorer mode. IE mode provides backward compatibility functionality so users can view legacy websites that rely on the fascinating idiosyncrasies of Internet Explorer; These sites are typically served by legacy enterprise web applications, which goes a long way toward explaining Microsoft’s continued motivation to somehow keep Internet Explorer alive. If it is not already enabled on the target asset, the attacker would have to modify the Edge configuration to enable the “Allow sites to reload in Internet Explorer” setting. Further exploitation would involve convincing the user to open an Internet Explorer mode tab within Edge and then opening the malicious URL. The fix involves patching Windows itself; all current versions of Windows are affected.

Rounding out this month’s half-dozen exploited vulnerabilities in the wild is CVE-2024-38189that describes RCE in Microsoft Project. Exploitation requires an attacker to convince the user to open a malicious file and is only possible when “Block macros from running in Office files from the Internet“The policy is disabled (it is enabled by default) and the option “VBA Macro Notification Settings” are set at a sufficiently low level. Fortunately, the Preview Panel is not an attack vector in this case.

As something of an olive branch to defenders who may now be looking with concern at their to-do list, Microsoft has not published any SharePoint or Exchange vulnerabilities this month.

In Microsoft product lifecycle news, all versions of Visual Studio for Mac will be retired on August 31, 2024 and will no longer receive any further updates, including security patches, after that date. The URL seems to anticipate that some people will have questions: https://learn.microsoft.com/en-us/visualstudio/mac/what-it happened with vs-for-mac. Microsoft suggests the C# Dev Kit for Visual Studio Code as a possible alternative.

Leave a Reply

Your email address will not be published. Required fields are marked *