Microsoft tackles 88 vulnerabilities in latest Patch Tuesday update
This month's Patch Tuesday has seen Microsoft address a substantial number of vulnerabilities, as disclosed by various experts in the field.
Security researchers have highlighted seven critical and ten zero-day vulnerabilities among the 88 Common Vulnerabilities and Exposures (CVEs) resolved. Notably, six of these zero-day vulnerabilities have been actively exploited in the wild, drawing significant attention from the security community.
Scott Caveza, a Staff Research Engineer at Tenable, provided an in-depth analysis of the critical vulnerabilities covered in this update. "CVE-2024-38202 is an Elevation of Privilege (EoP) vulnerability in the Windows Update Stack, and CVE-2024-21302 is an EoP flaw affecting Windows Secure Kernel," he said. Both vulnerabilities were disclosed by SafeBreach Labs researcher Alon Leviev. "If exploited in tandem, an attacker could downgrade or roll back software updates without user interaction, potentially negating previous remediation efforts and widening the device's attack surface." This highlights the severity of the risks, should such vulnerabilities be chained together by malicious actors.
Caveza also warned about CVE-2024-38200, a spoofing vulnerability in Microsoft Office. Exploiting this vulnerability involves enticing a victim to open a specially crafted file, typically delivered via phishing emails. Successful exploitation could expose New Technology Lan Manager (NTLM) hashes to a remote attacker, enabling further attacks such as NTLM relay or pass-the-hash attacks. Such attacks have previously been executed by Russian-based threat group APT28.
In addition, Microsoft has addressed security vulnerabilities in its AI-powered chatbot, Copilot Studio, and Azure Health Bot. CVE-2024-38206, an information disclosure vulnerability in Copilot Studio, received attention for its potential to bypass server-side request forgery (SSRF) protections and leak sensitive information. The Azure Health Bot's CVE-2024-38109, rated with a CVSSv3 score of 9.1, is another critical EoP vulnerability that could be exploited to gain elevated privileges.
Chris Goettl, Vice President of Security Product Management at Ivanti, also commented on the Patch Tuesday updates, noting the extensive scope of Microsoft's update, which covers Windows OS, Office, Edge, .Net, Visual Studio, and several Azure services. Goettl pointed out that Windows OS and Office updates are expected to mitigate most of the associated risks promptly.
Highlighted CVEs in the update include CVE-2024-38189, a Remote Code Execution vulnerability in Microsoft Project, which has been actively exploited. This vulnerability, rated with a CVSS score of 8.8, underscores the importance of proactive mitigation strategies, such as blocking macros in office files from the internet and enabling VBA macro notifications.
CVE-2024-38107 and CVE-2024-38106, EoP vulnerabilities affecting Power Dependency Coordinator and Windows Kernel, respectively, also warranted significant attention. Exploits in these areas could allow attackers to gain system-level privileges on affected systems.
An additional notable vulnerability is CVE-2024-21302, a Remote Code Execution flaw in the Windows Line Printer Daemon. Despite the service being disabled by default, environments relying on this service should promptly address the vulnerability due to its high severity (CVSS score of 9.8).
Apart from Microsoft's releases, third-party updates from Adobe and Google were also included in this round of patches. Adobe resolved twelve CVEs in Adobe Acrobat and Reader, with eight rated as critical. Google's update for Chrome, while not listing specific CVEs, emphasises the need for organisations to maintain up-to-date security measures across their environments.
Ivanti contributed to the mix with security advisories addressing vulnerabilities in Ivanti Neurons for ITSM, Ivanti Avalanche, and Ivanti Virtual Traffic Manager. Although no exploits have been reported against these CVEs, CVE-2024-7593 remains a publicly disclosed vulnerability worth monitoring.
In conclusion, the imperative for organisations is clear: prioritise the remediation of zero-day vulnerabilities and known exploits, particularly those impacting core systems such as Windows OS and Office. Deploying patches promptly and adjusting security policies can significantly mitigate the risk of these vulnerabilities being exploited in the wild.