Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild.
Of the 90 bugs, nine are rated Critical, 80 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month.
The Patch Tuesday updates are notable for addressing six actively exploited zero-days –
CVE-2024-38213, which allows attackers to bypass SmartScreen protections, requires an attacker to send the user a malicious file and convince them to open it. Credited with discovering and reporting the flaw is Trend Micro’s Peter Girnus, suggesting that it could be a bypass for CVE-2024-21412 or CVE-2023-36025, which were previously exploited by DarkGate malware operators.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaws to its Known Exploited Vulnerabilities (KEV) catalog, which obligates federal agencies to apply the fixes by September 3, 2024.
Four of the below CVEs are listed as publicly known –
“An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email,” Scott Caveza, staff research engineer at Tenable, said about CVE-2024-38200.
“Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organization.”
The update also addresses a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), which allows an attacker to gain SYSTEM privileges. “Successful exploitation of this vulnerability requires an attacker to win a race condition,” Microsoft said.
Another vulnerability of note is CVE-2024-38173 (CVSS score: 6.7), a remote code execution flaw affecting Microsoft Outlook that requires an attacker or victim to execute code from the local machine in order to successfully exploit it.
Cybersecurity company Morphisec, which discovered and reported the flaw in June 2024, described it as similar to CVE-2024-30103 and a zero-click vulnerability that “does not require user interaction on systems with Microsoft’s auto-open email feature enabled.”
That said, Microsoft has yet to release updates for CVE-2024-38202 and CVE-2024-21302, which could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.
The disclosure follows a report from Fortra about a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that could cause a system crash, resulting in a Blue Screen of Death (BSoD).
When reached for comment, a Microsoft spokesperson told The Hacker News that the issue “does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update.”
“The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user,” the spokesperson added.
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
In a statement shared with The Hacker News, Trend Micro said CVE-2024-38213 is not a bypass of CVE-2024-21412 and that any file on a WebDAV share is affected by the vulnerability.
“CVE-2024-38213 is a great example of how we leveraged finding zero-days in the wild to inform how we conduct additional security research,” the company said in a statement. “This case also highlights how narrow or insufficient patches can be a security nightmare.”
CVE-2024-38213, which has been codenamed copy2pwn, “results in a file from a WebDAV share being copied locally without Mark of the Web protections,” the Zero Day Initiative (ZDI) said, stating it was exploited by DarkGate operators.
“Files copied and pasted from WebDAV shares did not receive the Mark of the Web designations. This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View.”
(The story was updated after publication to include information about the nature of attacks exploiting CVE-2024-38213.)
LUCR-3 is exploiting cloud vulnerabilities at an alarming rate. Join our webinar to learn how to protect your SaaS and cloud environments.
Learn how Global-e’s CISO used DSPM to eliminate shadow data risks and protect critical information.
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.
