Sunday, December 22, 2024

Patch Tuesday: 6 Microsoft fixes for flaws already exploited

Must read

Patch Tuesday Microsoft has disclosed 90 flaws in its products – six of which have already been exploited – and four others that are listed as publicly known.

There’s another dozen in the list from third-party vendors that are now included in Microsoft’s monthly update. Happy August Patch Tuesday, folks.

Of the 102 total bugs listed this month, nine are rated critical – but so far none of those seem to have been found and abused by the bad guys.

So let’s start with the six bugs under active exploitation:

CVE-2024-38189 – a Microsoft Project Remote Code Execution Vulnerability with an 8.8 CVSS rating. The bad news is it’s an RCE and was exploited before it issued a fix.

The good news is exploitation requires a couple of security features to be disabled before an attacker can remotely execute code on a victim’s machine. Assuming a criminal can find a system that runs macros downloaded from the internet, and also has the block macros from running in Office files from the internet policy disabled, and convinces a victim to open a malicious file, it’s game over. Obviously, someone has managed to navigate those hoops, although we have no details on the exploitation, or how widespread it is.

CVE-2024-38178 – a Scripting Engine Memory Corruption Vulnerability that earned a 7.5 CVSS. Microsoft says the attack complexity is high on this one, and it requires the victim to use Edge in Internet Explorer Mode. Apparently some orgs and their websites still really like this dead web browser that Microsoft stopped supporting two years ago.

Once Edge is in Internet Explorer mode, if an attacker can convince the victim to click on a specially crafted URL they can execute remote code on the victim’s device.

Redmond credits south Korea’s National Cyber Security Center and AhnLab with finding and reporting this vulnerability.

CVE-2024-38193 – a 7.8 rated Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This one could allow an attacker to gain system privileges.

As Zero Day Initiative’s Dustin Childs noted: “These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn’t provide any indication of how broadly this is being exploited, but considering the source, if it’s not in ransomware already, it likely will be soon.”

Gen Digital bug hunters Luigino Camastra and Milánek disclosed the flaw to Redmond.

CVE-2024-38106 – a Windows Kernel Elevation of Privilege Vulnerability with a 7.0 CVSS rating.

Exploiting this bug requires an attacker to win a race condition, but Redmond doesn’t provide any details about what that race involves. But once that happens the miscreant can gain system privileges. It’s been exploited, so patch soon.

CVE-2024-38107 – a 7.8-rated Windows Power Dependency Coordinator Elevation of Privilege Vulnerability. It could also result in system privileges and has been exploited in the wild.

CVE-2024-38213 – a Windows Mark of the Web Security Feature Bypass Vulnerability that earned a 6.5 CVSS rating.

ZDI researcher Peter Girnus found and reported this vulnerability, which allows an attacker to bypass the SmartScreen security feature. It does, however, require the mark to open a malicious file.

Microsoft listed four vulnerabilities as publicly disclosed, albeit not yet exploited, so maybe put these high on your to-patch list:

  • CVE-2024-38200 – a Microsoft Office Spoofing Vulnerability with a 6.5 CVSS rating.
  • CVE-2024-38199 – a Windows Line Printer Daemon (LPD) Service RCE Vulnerability with a 9.8 CVSS rating.
  • CVE-2024-21302 – a Windows Secure Kernel Mode Elevation of Privilege Vulnerability with a 6.7 CVSS rating.
  • CVE-2024-38202 – a Windows Update Stack Elevation of Privilege Vulnerability with a 7.3 CVSS rating.

Adobe addresses 71 CVEs

Adobe this month fixed 71 CVEs in 11 updates across its Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, 3D Sampler, and Substance 3D Designer products. Adobe states it’s not aware of any exploits for any of the now-fixed flaws.

Commerce is the buggiest of the bunch, with seven critical-rated vulnerabilities. InDesign addressed 13 CVEs and Acrobat and Reader fixed 12 – both of which included RCEs.

SAP slaps out 25 security patches

SAP this month released 25 new or updated security patches, including two HotNews notes and four high-priority notes. Thomas Fritsch, SAP Security Researcher at Onapsis, says this count is above average for the software maker.

Of the new HotNews notes, #3479478 (CVE-2024-41730) earned a 9.8 CVSS rating and addresses a denial of service vulnerability in the SAP BusinessObjects Business Intelligence Platform.

“If Single Sign On Enterprise authentication is enabled, an unauthorized user can get a logon token using a REST endpoint,” Fritsch warned. “The attacker can fully compromise the system resulting in high impact on confidentiality, integrity and availability.”

43 more pain points for Intel

Intel joined the patch party this month with a whopping 43 security advisories that plug multiple holes in software and hardware. Nine are rated high-severity flaws, so let’s start there:

Intel Ethernet Controllers and Adapters fixes CVEs that may allow escalation of privilege or denial of service.

Bugs in some Intel NUC BIOS Firmware may allow escalation of privilege, denial of service and information disclosure.

Vulnerabilities in Intel Core Ultra Processor and Intel Processor stream cache mechanisms may allow escalation of privilege.

Flaws in Intel Trust Domain Extensions (Intel TDX) module software may allow denial of service.

A security vulnerability in SMI Transfer monitor (STM) may allow escalation of privilege.

Flaws in some Intel Agilex FPGA Firmware and some Intel Server Board S2600ST Family Firmware may allow escalation of privilege.

Finally, some Intel UEFI Integrator Tools on Aptio V for Intel NUC are vulnerable to an escalation of privilege bug. ®

Latest article