August Patch Pileup: Microsoft’s Zero-Day Doozy Dump
Patch Tuesday—ten zero-days, seven Critical vulns, zero time to waste.
It’s that time again. This month’s “Week B” brings 90 bugs across Microsoft Windows, Office, Azure, Dynamics, Edge, Secure Boot and Visual Studio. And some of them are absolute showstopper, drop everything, must-patch flaws.
Let’s round up the highlights. In today’s SB Blogwatch, we work out what matters.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Toyota Gazoo forklift.
See These CVEs
What’s the craic? Jai Vijayan reports: Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
“Under active exploit”
Seven of the bugs that Microsoft disclosed this week are rated as Critical. … Attackers are already actively exploiting six of the bugs and four others are public, including one for which Microsoft has no patch yet: … An elevation of privilege (EoP) bug in Windows Update Stack, tracked as CVE-2024-38202.
…
Two of the vulnerabilities under active attack enable remote code execution (RCE) on affected systems: … CVE-2024-38189, affects Microsoft Project [and] CVE-2024-38178, a memory corruption vulnerability in Windows Scripting. … Three of the zero-days in this update that attackers are actively exploiting — CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 — enable an attack to elevate privileges to system admin status. … ’38106 is especially serious because it exists in the Windows Kernel.
…
The other zero-day under active exploit is CVE-2024-38213, a flaw that allows attackers to bypass Windows Mark of the Web. [It] gives attackers a way to sneak malicious files and Web content into enterprise environments without having them marked as untrusted.
Wait. *Counts on fingers* isn’t that seven zero-days? Lawrence Abrams runs the numbers: Microsoft August 2024 Patch Tuesday
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available. [The] three other publicly disclosed zero-day vulnerabilities … are:
CVE-2024-38199 – Windows Line Printer Daemon (LPD) Service Remote Code Execution. …
CVE-2024-21302 – Windows Secure Kernel Mode Elevation of Privilege. …
CVE-2024-38200 – Microsoft Office Spoofing.
There’s a lot going on here. Brian Krebs cycles in: August 2024 Patch Push
“Security vulnerabilities”
This month’s bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities — meaning they are primarily useful for attackers when combined with other flaws or access.
…
Separately, Adobe today [addressed] at least 71 security vulnerabilities across a range of products including Adobe Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, and Substance 3D Sampler/Substance 3D Designer.
What about the ones not disclosed nor exploited yet? Dustin Childs picks a favorite Security Update Review:
We’re greeted with three different CVSS 9.8 bugs. … The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it’s wormable.
That sounds horrific. Good job it’s not in the wild. Not so fast, thinks zer0c00ler:
It probably takes nation states (and skilled individuals) a few hours to reverse the patch and build an exploit.
The ’38213 Mark Of The Web flaw got Richard 12’s attention:
MotW is very fragile—always has been. Not to mention that it pops up so often that it’s basically trained users to ignore it.
Many of the documents I get sent by other businesses are still Word docs, even when they’re explicitly intended to be read-only. And for some reason Word can’t print in view-only mode, so loads of people immediately disable that.
Any patching issues in production? u/joshtaco emits zero unnecessary verbiage:
Ready to deploy to 8,000 servers/workstations. Work work.
…
All patches installed. Everything looks fine.
That’s a lot of work. But bradley13 solved the problem, thankfully: [You’re fired—Ed.]
Thankfully, I solved the problem by removing Windows a couple of years ago. It now lives in a rarely used VM.
And Finally:
“Toyota’s answer to increasing competition from the Nissan GT-R and Honda NSX.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Kelly Sikkema (via Unsplash; leveled and cropped)