Microsoft Patched 6 Actively Exploited Zero-Day Flaws

Patch Tuesday, Microsoft’s monthly report of security updates, brought 90 CVEs, including some vulnerabilities that were being actively exploited.

Some vulnerabilities originated in Chromium, meaning both Microsoft Edge and Google Chrome may have been affected. Here are the most critical flaws and patches disclosed by Microsoft on Aug. 13.

Six zero-day flaws had been exploited

Threat actors had already taken advantage of six zero-day exploits in particular:

• CVE-2024-38106: an elevation of privilege vulnerability in the Windows kernel.
• CVE-2024-38107: an elevation of privilege vulnerability in the Windows Power Dependency Coordinator.
• CVE-2024-38178: in which remote code execution could have been possible if a user clicked a link using Edge in Internet Explorer Mode.
• CVE-2024-38189: in which opening a malicious Microsoft Office Project file under certain conditions could enable remote code execution.
• CVE-2024-38193: an elevation of privilege vulnerability that could give an attacker SYSTEM privileges.
• CVE-2024-38213: in which an attacker could bypass the SmartScreen protection that pops up when a user downloads something from the internet.

SEE: Organizations may want to assess how their privacy and data storage policies intersect with Microsoft’s Copilot AI.

NIST labels two vulnerabilities as ‘critical’

Other notable items in this month’s Patch Tuesday were those rated as critical according to the National Vulnerability Database’s Common Vulnerability Scoring System from NIST. These were:

• CVE-2024-38140: a remote code execution vulnerability that could occur if a program was using a Pragmatic General Multicast port to listen.
• CVE-2024-38063: a remote code execution vulnerability enabled by sending repeated malicious IPv6 packets.

Another vulnerability, CVE-2024-38202, is remarkable because Microsoft has not yet released a patch for it. To mitigate this elevation of privilege vulnerability in Windows Update, Redmond recommends auditing user access to objects, operations, and files.

The complete steps for protecting against this vulnerability can be found in the recommended actions section of the vulnerability’s listing.

A group of vulnerabilities originate in Chromium

Business users around the world should use the most up-to-date versions of Edge as well as Google Chrome, since some of the vulnerabilities originate in the Chromium Open Source Software used in both browsers.

Relevant Chrome and Chromium vulnerabilities are as follows:

• MITRE CVE 7532: possible out-of-bounds memory access in ANGLE, a graphics engine layer in Chrome.
• MITRE CVE 7533: a use-after-free exploit on Chrome in iOS.
• MITRE CVE 7534: heap buffer overflow in Layout.
• MITRE CVE 7535: inappropriate implementation in V8.
• MITRE CVE 7536: a use-after-free exploit in WebAudio.
• MITRE CVE 7550: Type Confusion in V8.
• MITRE CVE 38218: an HTML-based memory-corruption vulnerability in Microsoft Edge.
• MITRE CVE 38219: a remote code execution vulnerability in Microsoft Edge.

Attackers could have potentially used these vulnerabilities to perform arbitrary code execution before they were patched.

Reminder: keep browsers and operating systems up to date

Most exploits mentioned in the patch report are covered by the August security updates, so the only action administrators need to take in response is to keep up to date.

Similarly, the mitigation for these Chromium flaws is to update Microsoft Edge or Google Chrome to the latest versions.

In Edge, check which version is running and find updates by going to the meatball menu (…) on the right-hand side. Select “Help” and “Feedback,” then select “Microsoft Edge.”

In Chrome, select “About Google Chrome” in the menu bar or select the kebab menu (three vertical dots) on the top-right of the window. From there, select “Help,” then “About Google Chrome.”