August 13, 2024
Attackers are actively exploiting as many as six of the 90 vulnerabilities that Microsoft disclosed in its security update for August, making them a top priority for administrators this Patch Tuesday.
Another four CVEs in Microsoft's update were publicly known before the Aug. 13 disclosure, which also make them zero-days of a sort, even though attackers have not yet begun exploiting them. Among them, an elevation of privilege (EoP) bug in Windows Update Stack, tracked as CVE-2024-38202, is particularly troubling because Microsoft does not yet have a patch for it.
Unpatched Zero-Day
The unpatched flaw allows an attacker with "basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)," according to Microsoft. The company has assessed the bug as being only of moderate severity because an attacker would need to trick an administrator or user with delegated permissions into performing a system restore.
However, Scott Caveza, staff research engineer at Tenable, says that if an attacker were to chain CVE-2024-38202 with CVE-2024-21302 (an EoP flaw in the current update that affects Windows Secure Kernel), they would be able to roll back software updates without the need for any interaction with a privileged user. "CVE-2024-38202 does require 'additional interaction by a privileged user,' according to Microsoft," he says. "However, the chaining of CVE-2024-21302 allows an attacker to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges."
Caveza says each vulnerability can be exploited separately, but when combined, they could potentially have a more significant impact.
In all, seven of the bugs that Microsoft disclosed this week are rated as critical. The company rated 79 CVEs — including the zero-days that attackers are actively exploiting — as "Important," or of medium severity, because they involve some level of user interaction or other requirement for an attacker to exploit. "While this isn't the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), in a blog post.