[German]On August 13, 2024, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 88 vulnerabilities (CVEs), including seven critical vulnerabilities, 10 of which are classified as 0-day (six are already being exploited). Below is a compact overview of these updates that were released on Patchday.
Notes on the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to fix bugs or new features.
Windows Server 2012 R2
Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license is required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2024-38206: Microsoft Copilot Studio Information Disclosure Vulnerability, CVEv3 Score 8.5, critical; A critical information disclosure vulnerability affecting Microsoft's Copilot Studio, an AI-driven chatbot. The vulnerability could be abused by an authenticated attacker to bypass server-side request forgery (SSRF) protection to potentially disclose sensitive information. The vulnerability was disclosed by Microsoft on August 6, with the advisory noting that no user action is required as the issue has been patched by Microsoft. The vulnerability was discovered and reported to Microsoft by Evan Grant, a researcher at Tenable.
- CVE-2024-38109: Azure Health Bot Elevation of Privilege vulnerability, CVEv3 Score 9.1, critical; It is a critical SSRF EoP vulnerability in Azure Health Bot. The vulnerability was discovered by Tenable researcher Jimi Sebree and reported to Microsoft. The vulnerability has been patched by Microsoft and no action is required for users of the Health Bot service. Further information on this vulnerability can be found in Tenable Research Advisories TRA-2024-27 and TRA-2024-2 and in this blog post.
- CVE-2024-38106, CVE-2024-3813, CVE-2024-38153: Windows Kernel Elevation of Privilege vulnerability, CVEv3 Score 7.0 – 7.8, important; Despite the lower severity and exploitation requirements where the attacker must win a race condition for successful exploitation, CVE-2024-38106 has reportedly been exploited in the wild as a zero-day. CVE-2024-38133 has been classified as "Exploitation More Likely" by Microsoft. Successful exploitation of these vulnerabilities could allow the attacker to elevate privileges on SYSTEM.
- CVE-2024-38107: Windows Power Dependency Coordinator Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; EoP vulnerability affecting the Windows Power Dependency Coordinator (pdc.sys). The driver is responsible for power management on a Windows system. This vulnerability has been exploited in the wild as a zero-day. Patches are available for all supported versions of Windows and Windows Server.
- CVE-2024-38178: Scripting Engine Memory Corruption vulnerability, CVEv3 Score 7.5, important; This vulnerability has already been exploited. According to Microsoft, an authenticated victim must run the Edge browser in Internet Explorer mode to exploit the vulnerability before an unauthenticated attacker can trick the victim into clicking on a specially crafted URL to obtain RCE.
- CVE-2024-38189: Microsoft Project Remote Code Execution vulnerability, CVEv3 Score 8.8, important; Exploitation in the wild has been observed. According to the advisory, an unsuspecting victim must open a manipulated Microsoft Office Project file to exploit the vulnerability. In addition, the system must be configured so that the "Do not run macros in Office files from the Internet" policy and the VBA macro notification settings are disabled to enable a successful attack. Micsoft's advisory clarifies that the preview window is not an attack vector for this vulnerability and offers mitigation options to protect systems when immediate patching is not possible.
- CVE-2024-38141, CVE-2024-3819: Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; EoP vulnerabilities affecting the Windows ancillary function driver for Winsock (afd.sys). Both vulnerabilities may allow an attacker to escalate privileges on SYSTEM. CVE-2024-38141 is classified as "Exploitation More Likely" and CVE-2024-38193 has reportedly been exploited as a zero-day vulnerability in the wild.
- CVE-2024-38213: Windows Mark of the Web Security Feature Bypass Vulnerability, CVEv3 Score 6.6, Moderate; To exploit this vulnerability, a user must open a specially crafted file that can be hosted on a file server or website or sent via a phishing email. If the attacker manages to get a victim to open this file, they can bypass Windows SmartScreen. Microsoft has labeled this vulnerability as "Exploitation Detected" as they are aware of a case where this vulnerability has been exploited.
- CVE-2024-38163: Windows Update Stack Elevation of Privilege vulnerability, CVEv3 Score7.8, important; CVE-2024-38163 can lead to SYSTEM privilege escalation if successfully exploited. Microsoft has advised that users do not need to take any action for this vulnerability as it can only be exploited at runtime and the affected version of WinRE has been replaced with a new version.
- CVE-2024-38202: Windows Update Stack Elevation of Privilege vulnerability, CVEv3 score 7.3, important; disclosed at BlackHat USA 2024 and DEF CON 32 by SafeBreach Labs researcher Alon Leviev ahead of the August 2024 Patch Tuesday release (Vulnerability in Windows Update allows downgrade attacks (August 2024)). The vulnerability in Windows Backup allows a user with basic privileges to "reintroduce previously mitigated vulnerabilities or bypass some Virtualization Based Security (VBS) features". Leviev identified the vulnerability in the Windows Update mechanism, which could allow unauthorized elevation of privileges by forcing a downgrade of system components. This vulnerability makes systems susceptible to exploits that have already been patched and therefore to attacks that could take advantage of these old vulnerabilities. Microsoft points out that "an attacker attempting to exploit this vulnerability would require additional interaction by a privileged user to be successful".
- CVE-2024-21302, CVE-2024-38142: Windows Secure Kernel Mode Elevation of Privilege vulnerability, CVEv3 score 7.3, important; both vulnerabilities allow elevation of privilege in Windows Secure Kernel, which Microsoft rates as "Exploitation Less Likely". CVE-2024-21302 has a CVSSv3 score of 6.7 and CVE-2024-38142 has a score of 7.8. Successful exploitation of one of these vulnerabilities could allow an attacker to gain SYSTEM privileges. CVE-2024-21302 was announced at Black Hat USA 2024 by the aforementioned security researcher Alon Leviev. Leviev demonstrated that CVE-2024-21302 can be chained with CVE-2024-38202 to downgrade or reset software versions without requiring a victim with elevated privileges to intervene. The result of this chained attack is that the target device can be made vulnerable to previously patched vulnerabilities, increasing the device's attack surface. CVE-2024-21302 was also mentioned in the aforementioned Microsoft advisory published in coordination with the disclosure at Black Hat.
- CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability, CVEv3 Score 9.8, important; The RCE vulnerability in the Windows Line Printer Daemon (LPD) Service is rated Exploitation Less Likely by Microsoft. A remote attacker could exploit this vulnerability over a network by sending a specially crafted print task to the Windows LPD service, which, if successful, would lead to an RCE on the server. Microsoft has also pointed out that the vulnerability was made public before a patch was available.
- CVE-2024-38200: Microsoft Office Spoofing Vulnerability, CVEv3 Score 6.5, important; The spoofing vulnerability in Microsoft Office has been rated "Exploitation Less Likely" by Microsoft. An attacker could host a specially crafted file on a file server or website or send it in a phishing email. If the victim clicks on the file, it could lead to the victim disclosing NTLM (New Technology Lan Manager) hashes to a remote attacker. CVE-2024-38200 was publicly disclosed on August 8th at DEF CON 32 by Jim Rush and Tomais Williamson, of PrivSec Consulting.
- CVE-2024-38063: Windows TCP/IP Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; A critical RCE vulnerability in Windows TCP/IP that is rated Exploitation More Likely. An attacker can remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. Microsoft recommends disabling IPv6, as only IPv6 packets can be abused to exploit this vulnerability. Microsoft has released patches for all supported versions of Windows and Windows Server, including Server Core installations.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- .NET and Visual Studio
- Azure Connected Machine Agent
- Azure CycleCloud
- Azure Health Bot
- Azure IoT SDK
- Azure Stack
- Line Printer Daemon Service (LPD)
- Microsoft Bluetooth Driver
- Microsoft Copilot Studio
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office PowerPoint
- Microsoft Office Project
- Microsoft Office Visio
- Microsoft Streaming Service
- Microsoft Teams
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows DNS
- Reliable Multicast Transport Driver (RMCAST)
- Windows Ancillary Function Driver for WinSock
- Windows App Installer
- Windows Clipboard Virtual Channel Extension
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Compressed Folder
- Windows Deployment Services
- Windows DWM Core Library
- Windows Initial Machine Configuration
- Windows IP Routing Management Snapin
- Windows Kerberos
- Windows Kernel
- Windows Kernel-Mode Drivers
- Windows Layer-2 Bridge Network Driver
- Windows Mark of the Web (MOTW)
- Windows Mobile Broadband
- Windows Network Address Translation (NAT)
- Windows Network Virtualization
- Windows NT OS Kernel
- Windows NTFS
- Windows Power Dependency Coordinator
- Windows Print Spooler Components
- Windows Resource Manager
- Windows Routing and Remote Access Service (RRAS)
- Windows Scripting
- Windows Secure Kernel Mode
- Windows Security Center
- Windows SmartScreen
- Windows TCP/IP
- Windows Transport Security Layer (TLS)
- Windows Update Stack
- Windows WLAN Auto Config Service
Similar articles:
Office Updates from August 6, 2024
Microsoft Security Update Summary (August 13, 2024)
Patchday: Windows 10/Server Updates (August 13, 2024)
Patchday: Windows 11/Server 2022-Updates (August 13, 2024)
Windows Server 2012 / R2 and Windows 7 (August 13, 2024)
Microsoft Office Updates (August 13, 2024)
Just a FYI if you run Defender and struggled with msmpeng.exe crashes last 24 hours: https://www.reddit.com/r/sysadmin/comments/1eruwp4/defender_crashing_last_hours/
thanks