Microsoft has released patches for six flaws that are being actively exploited as part of its regularly scheduled patch Tuesday releases.
The flaws exist in Microsoft’s Project management software and various Windows products, from Windows Scripting Engine to the Windows Power Dependency Coordinator component responsible for managing system power usage. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added the flaws to its Known Exploited Vulnerability catalog and gave federal government agencies a three week deadline for applying the patches, it is “unknown” whether the flaws are being used in ransomware campaigns. Microsoft also did not specify the exploitation activities surrounding these flaws.
“Microsoft released security updates to address vulnerabilities in multiple products,” according to CISA on Tuesday. “A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”
One of the more serious flaws is an important-severity Microsoft Project vulnerability (CVE-2024-38189), which ranks 8.8 out of 10 on the CVSS scale and could enable remote code execution. According to Microsoft’s security advisory, in order to exploit the flaw an attacker would need to convince a target to open a malicious file, either via a phishing email or an attacker-controlled website.
“Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution,” according to Microsoft.
Microsoft also patched an important-severity memory corruption Scripting Engine flaw (CVE-2024-38178), which could allow unauthenticated attackers to remotely execute code. In order to exploit the flaw, the attacker would need authenticated clients to click a specially crafted URL, and they would need to use Edge in Internet Explorer mode, according to Microsoft. Notably, Microsoft credited the National Cyber Security Center for the Republic of Korea (in addition to AhnLab) with reporting the bug.
Several actively exploited Windows flaws were also fixed, including an elevation-of-privilege bug (CVE-2024-38193) in the Windows Ancillary Function Driver for WinSock, which if exploited successfully could give an attacker SYSTEM privileges. Another elevation-of-privilege bug (CVE-2024-38107), which exists in the Windows Power Dependency Coordinator, could also grant SYSTEM privileges.
Microsoft said it fixed an actively exploited elevation-of-privilege flaw in Windows Kernel (CVE-2024-38106). According to Microsoft, “successful exploitation of this vulnerability requires an attacker to win a race condition.” Finally, a moderate-severity flaw (CVE-2024-38213) in a security feature of Windows Mark of the Web, Microsoft's identifier for potentially unsafe files, was fixed.
For the latter issue, “an attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience,” according to Microsoft. “An attacker must send the user a malicious file and convince them to open it.”
Overall, Microsoft fixed dozens of vulnerabilities in its August patch Tuesday updates. Outside of the six actively exploited bugs, these included other serious vulnerabilities, like a remote code execution flaw in Windows TCP/IP (CVE-2024-38063). According to Microsoft, if unauthenticated attackers repeatedly send IPv6 packets (with specially crafted packets) to a Windows machine, the vulnerability could enable remote code execution.