Discover Microsoft’s latest security update addressing 90 vulnerabilities, including 10 zero-days. Stay informed about the latest Threatfeeds!

Continue reading
Microsoft on August 14, 2024, rolled out critical security patches to fix a total of 90 security vulnerabilities, among which were 10 zero-days. Notably, six of these zero-days are currently under active exploitation.
The 90 vulnerabilities are categorized as follows: 9 are deemed CRITICAL, 80 are Important, and one is Moderate. This is on top of the 36 vulnerabilities that Microsoft addressed in its Edge browser last month.
The Patch Tuesday updates stand out for their remediation of six actively exploited zero-days:
CVE-2024-38213, which enables attackers to circumvent SmartScreen protections, necessitates an attacker sending a malicious file to a user and persuading them to open it.
Peter Girnus of Trend Micro, who discovered and reported the flaw, suggests that it could serve as a bypass for CVE-2024-21412 or CVE-2023-36025, both of which were previously exploited by DarkGate malware operators.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has incorporated these flaws into its Known Exploited Vulnerabilities (KEV) catalog. Consequently, federal agencies are mandated to apply the fixes by September 3, 2024.
Four of the following CVEs are recognized as publicly known:
Scott Caveza, a research engineer at Tenable, provided insight on CVE-2024-38200, stating that an attacker could exploit this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email. Successful exploitation could lead to the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. These NTLM hashes could be leveraged in NTLM relay or pass-the-hash attacks to deepen an attacker's foothold within an organization.
The update also addresses a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), which enables an attacker to acquire SYSTEM privileges. Microsoft noted that successful exploitation of this vulnerability necessitates an attacker winning a race condition.
However, Microsoft has yet to roll out updates for CVE-2024-38202 and CVE-2024-21302, which could potentially be exploited to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.
Fortra recently reported a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that could trigger a system crash, resulting in a Blue Screen of Death (BSoD). When asked for comment, a Microsoft spokesperson informed that the issue _"does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update."_
The spokesperson added, _"The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user."_
Besides Microsoft, many other vendors have released security updates in recent weeks to patch various vulnerabilities. These vendors include Adobe, AMD, Apple, Arm, Bosch, Broadcom (including VMware), Cisco, Citrix, D-Link, Dell, Drupal, F5, Fortinet, GitLab, Google Android, Google Chrome, Google Cloud, Google Wear OS, HMS Networks, HP, HP Enterprise (including Aruba Networks), IBM, Intel, Ivanti, Jenkins, Juniper Networks, Lenovo, Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu, MediaTek, Mitel, MongoDB, Mozilla Firefox, Firefox ESR, and Thunderbird, NVIDIA, Progress Software, Qualcomm, Rockwell Automation, Samsung, SAP, Schneider Electric, Siemens, SonicWall, Splunk, Spring Framework, T-Head, Trend Micro, Zoom, and Zyxel.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams