I have successfully survived Summer Hacker Camp, and I hope you have too. And we return just in time for Patch Tuesday and a new crop of 0-days as Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for August 2024
For August, Adobe released 11 security bulletins addressing 71 CVEs in Adobe Illustrator. Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy. Substance 3D Sampler, and Substance 3D Designer. A total of 14 of these bugs came through the ZDI program. The largest of these updates is for Adobe Commerce, which includes several fixes for Critical-rated bode execution bugs. The patch for InDesign also corrects many code execution bugs. However, I’m probably most concerned about the update for Acrobat and Reader, as maliciously crafted PDFs are often used in ransomware.
The fixes for Photoshop, Substance 3D Stager, InCopy, and Substance 3D Designer each address a single Critical-rated CVE that could lead to code execution. The patch for Illustrator corrects seven bugs, but most of these are rated Important. The Dimension patch has three Critical and three Important bugs. ZDI’s Mat Powell reported the three bugs fixed in Adobe Bridge. The final Adobe patch for August is for Substance 3D Sampler and fixes four bugs.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for August 2024
This month, Microsoft released 90 new CVEs in Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure; Co-Pilot; Microsoft Dynamics; Teams; and (of course) Secure Boot. With the third-party bugs also listed, it brings the total CVE count to 102. Four of these bugs came through the ZDI program, including one of the bugs listed as under active exploit.
Of the patches being released today, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. While this isn’t the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release.
Four of these CVEs are listed as publicly known, and six others are listed as under active attack Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently being exploited:
CVE-2024-38178 - Scripting Engine Memory Corruption Vulnerability
This vulnerability is somewhat unusual as it requires the target to be using Edge in Internet Explorer mode. It seems the long arm of IE again reaches out from beyond the vale to cause problems. Once Edge is in IE mode, it just takes a user to click a link to get code execution. This patch also comes with a fix for Windows 11 v24H2, which isn’t generally available. However, Copilot+ devices ship with this Windows version, thus the update here.
CVE-2024-38193 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
This privilege escalation bug allows attackers to run code as SYSTEM. These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn’t provide any indication of how broadly this is being exploited, but considering the source, if it’s not in ransomware already, it likely will be soon.
CVE-2024-38106 - Windows Kernel Elevation of Privilege Vulnerability
This is another privilege escalation bug under active attack that leads to SYSTEM privileges. Microsoft lists exploit complexity as high due to the attacker needing to win a race condition. However, some races are easier to run than others. It’s times like this where the CVSS can be misleading. Race conditions do lead to complexity high in the CVSS score, but with attacks in the wild, it’s clear this bug is readily exploitable.
CVE-2024-38107 - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
Here’s yet another privilege escalation bug that leads to SYSTEM being exploited in the wild. If you’re not familiar with the Power Dependency Coordinator (PDC), it’s a component of Modern Standby. Essentially, its purpose was to allow devices to “instantly” wake from sleep. It was introduced in Windows 8. It also shows how adding capabilities can often add attack surface, too.
CVE-2024-38189 - Microsoft Project Remote Code Execution Vulnerability
It’s definitely odd to see a code execution bug in Project, but not only do we have one here, it’s being exploited in the wild. For the most part, this is your typical open-and-own bug, but in this case, the target allows macros to run from the internet. The target also needs to disable the VBA Macro Notification Settings. If you do this, please don’t. Here’s some guidance on how to block macros from running in Office products. And if you’re opening random Project files from dicey resources, please go re-take your phishing training.
Here’s the full list of CVEs released by Microsoft for August 2024:
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
You may have noticed I didn’t talk about the sixth bug under active attack. That’s because the ZDI researcher who found it, Peter Girnus, has a full blog on it coming out this Thursday. Stay tuned for all the details.
Moving on to the other code execution bugs, we’re greeted with three different CVSS 9.8 bugs right off the top. The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it’s wormable. You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on just about everything. It’s a similar attack scenario for the Reliable Multicast Transport Driver (RMCAST), but in this case, you need a service listening as a receiver on PGM to be vulnerable. That’s a bit less likely. The Line Printer Daemon (LPD) has a bug with a similar consequence, but LPD isn’t installed by default (and shouldn’t be reachable from the Internet). That’s why it’s listed as Important rather than Critical despite its CVSS 9.8 rating. However, if you are running LPD, definitely treat this as a Critical update.
Looking at the other code execution bugs, thankfully most are more mundane. Office features heavily with typical open-and-own bugs. One that does stand out is the patch for Outlook. The Preview Pane is an attack vector; however, the attacker needs access to the target Outlook account for exploitation. Two bugs in the Network Virtualization component could cause some grief. Microsoft states, “By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.” If you’re using virtualization, definitely test and deploy that one quickly. The bug in the Mobile Broadband Driver requires physical access. There are also a lot of RCE bugs in routing protocols, but many of these are older protocols where exploitation would be highly unlikely. I would also pay attention to the SmartScreen bug, as that has proven to be a popular target for exploitation. Finally, the bug in Azure CycleCloud could allow an authenticated attacker to acquire the storage account credentials and runtime data. These could then be used to create a malicious script to get remote code execution on any cluster in the CycleCloud instance.
There are 36 fixes for Elevation of Privilege (EoP) bugs in this release including those already. Mentioned. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are also a couple of cloud-based bugs, like the one in Azure Health Bot, that require no action and are just being documented publicly. One of the kernel-mode driver bugs could be used for a sandbox escape. The bug in the Azure Stack Hub would involve some social engineering as the attacker would need to send a malicious JSON file to a target, but NOT have the target open and review it. Seems unlikely.
The big news for privilege escalation bugs comes from Black Hat and DEFCON as a researcher presented how to downgrade certain files in the OS to a vulnerable state and then exploit them. We’ve seen downgrade attacks in other products, but it’s certainly interesting research to find one in the Secure Kernel Mode component. The researcher also demonstrated a downgrade attack in the Update Stack as well. While the research is public, there are currently no known exploits targeting these vulnerabilities.
Speaking of bugs disclosed during Hacker Summer Camp, one of the five Spoofing fixes was actually documented back on August 8. It’s listed as Office Spoofing, but it results in NTLM relaying. There’s still no official fix for this, but Microsoft states people are not affected, “on all in-support versions of Microsoft Office and Microsoft 365,” due to a change in Feature Flighting. I would still test and update quickly once a patch is available. The bug in Azure Stack Hub is a simple cross-site scripting (XSS) bug. The bug in Teams for iOS allows attacks to appear as someone else within Teams. You’ll need to download an updated client to resolve this one. The App Installer bug could trick users into installing software they didn’t intend to install. There are no real details provided for the spoofing bug in DNS, but these usually result in the DNS server providing false results to queries.
There are only nine information disclosure bugs receiving fixes this month and most only result in info leaks consisting of unspecified memory contents. There are a few exceptions. The bug in RRAS could disclose the ever-ethereal “sensitive information”. The bug in Copilot could also disclose sensitive info, but this has already been corrected and is only being documented. The bug in .NET and Visual Studio could disclose targeted emails, but the attack scenario isn’t clear. The bug in Edge (Chromium-based) is more interesting. An attacker could expose Edge WebUI permissions. This would allow them to access target data from microphones and cameras.
The August release includes fixes for a handful of Denial-of-Service (DoS) bugs. However, Microsoft again provides no additional information about these vulnerabilities.
There’s also one bug in the ill-defined “Tampering” category. It requires a user to open a specially crafted file, yet it also lists the attack vector as Network. Maybe the file needs to be on a shared drive? Microsoft also does not provide the result of the tampering. It’s possible that compressed files could be crafted to evade detection from EDR/XDR. We’ve seen similar tactics used by ransomware in the past, however, without further details from Microsoft, this is all just speculation.
Finally, the August release is rounded out by two XSS in Microsoft Dynamics (on-premises).
There are no new advisories in this month’s release, but there was an update to the servicing stack.
Looking Ahead
The next Patch Tuesday of 2024 will be on September 10, and I’ll return with details and pumpkin-spiced patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!