Scheduled updates for Microsoft products fix 90 vulnerabilities, including ten zero-day vulnerabilities

Threat ID:CC-4537

Threat Severity:Medium

Published:14 August 2024 1:15 PM

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows Server

Microsoft Office

The following platforms are also known to be affected:

.NET and Visual Studio
Azure Connected Machine Agent
Azure CycleCloud
Azure Health Bot
Azure IoT SDK
Azure Stack
Microsoft Dynamics
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office PowerPoint
Microsoft Office Project
Microsoft Office Visio
Microsoft Teams
Windows BitLocker
Windows Kerberos
Windows Secure Boot
Windows Security Center
Windows SmartScreen
Visual Studio

Threat details

Active zero-day exploitation of six vulnerabilities

Microsoft has reported that six vulnerabilities are under active exploitation. These are:

CVE-2024-38189 (Microsoft Project Remote Code Execution)
CVE-2024-38178 (Scripting Engine Memory Corruption)
CVE-2024-38193 (Windows Ancillary Function Driver for WinSock Elevation of Privilege)
CVE-2024-38106 (Windows Kernel Elevation of Privilege)
CVE-2024-38107 (Windows Power Dependency Coordinator Elevation of Privilege)
CVE-2024-38213 (Windows Mark of the Web Security Feature Bypass)

Introduction

Microsoft has released security updates to address 90 vulnerabilities in Microsoft products. The security updates include ten zero-day vulnerabilities, of which six are actively exploited vulnerabilities and four are publicly disclosed vulnerabilities.

Vulnerability details

CVE-2024-38189 - Microsoft Project Remote Code Execution Vulnerability

CVE-2024-38189 is an 'improper input validation' vulnerability in Microsoft Project with a CVSSv3 score of 8.8. Successful exploitation by a remote attacker requires user interaction through opening a malicious Microsoft Office Project file and could lead to arbitrary code execution. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38178 - Scripting Engine Memory Corruption Vulnerability

CVE-2024-38178 is a 'type confusion' vulnerability in Scripting Engine with a CVSSv3 score of 7.5. Successful exploitation by a remote attacker requires user interaction through clicking a malicious link in Microsoft Edge when in 'Internet Explorer' mode. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38193 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2024-38193 is a 'use-after-free' vulnerability in the Ancillary Function Driver for WinSock with a CVSSv3 score of 7.8. Successful exploitation by a local attacker could lead to privilege escalation under the context of SYSTEM. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38106 - Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-38106 is a 'sensitive data storage in improperly locked memory' vulnerability in the Windows Kernel with a CVSSv3 score of 7.0. Successful exploitation by a local attacker requires winning a race condition, and could lead to privilege escalation under the context of SYSTEM. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38107 - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability

CVE-2024-38107 is a 'use-after-free' vulnerability in the Windows Power Dependency Coordinator with a CVSSv3 score of 7.8. Successful exploitation by a local attacker could lead to privilege escalation under the context of SYSTEM. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38213 - Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38213 is a 'protection mechanism failure' vulnerability in the Mark of the Web security feature with a CVSSv3 score of 6.5. Successful exploitation by an attacker could allow malicious files to bypass the Windows SmartScreen user experience. This vulnerability is under active exploitation as a zero-day.

CVE-2024-38063 - Windows TCP/IP Remote Code Execution Vulnerability

CVE-2024-38063 is an 'integer underflow' vulnerability in Microsoft Windows with a CVSSv3 score of 9.8. Successful exploitation by a remote, unauthenticated attacker requires crafting a malicious IPv6 packet, and could lead to arbitrary code execution.

CVE-2024-38200 - Microsoft Office Spoofing Vulnerability

CVE-2024-38200 is an 'exposure of sensitive information to an unauthorised actor' vulnerability in Microsoft Office with a CVSSv3 score of 6.5. Successful exploitation by a remote attacker requires user interaction and could lead to the theft of NT LAN Manager (NTLM) hashes.

Multiple Microsoft Office Remote Code Execution Vulnerabilities

Additionally, there are five remote code execution vulnerabilities in Microsoft Office products. Successful exploitation by a remote attacker requires user interaction through opening a malicious file and could lead to arbitrary code execution. These vulnerabilities are:

CVE-2024-38170 and CVE-2024-38172 in Microsoft Excel
CVE-2024-38169 in Microsoft Office Visio
CVE-2024-38173 in Microsoft Outlook. The 'Preview Pane' in Microsoft Outlook is an attack vector for this vulnerability.
CVE-2024-38171 in Microsoft PowerPoint. The 'Preview Pane' in Microsoft Outlook is an attack vector for this vulnerability.