Microsoft patched 90 new CVEs for August's Patch Tuesday, nine of which were zero-days and six were actively exploited in the wild.
Of the exploited zero-days, five were high-severity and the other one was medium. Microsoft also patched 11 critical bugs, nine of which had CVSS scores released.
Here’s a rundown from Trend Micro’s Zero Day Initiative of the five high-severity bugs exploited in the wild Microsoft patched today:
- CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability: This vulnerability requires the target to be using Edge in Internet Explorer. Once Edge is in IE mode, ZDI said it just takes a user one click to get code execution. The patch comes with a fix for Windows 112 v24H2, which isn’t generally available. However, ZDI said Microsoft did the update because Copilot+ devices ship with this Windows version.
- CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: This privilege escalation bug lets attackers run code as SYSTEM. Microsoft doesn’t offer any indication of how broadly this flaw is being exploited, but ZDI said considering the source, if it’s not ransomware already, it likely will be soon.
- CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability: This one is also a privilege escalation bug that leads to SYSTEM privileges. ZDI said Microsoft lists the exploit complexity as "high" because the attacker needs to win a race condition, a software bug that occurs when multiple processes or threads try to access and modify shared data at the same time without proper coordination. With attacks in the wild, ZDI said this bug is exploitable.
- CVE-2024-38107 – Window Power Dependency Coordinator Elevation of Privilege Vulnerability: Yet another privilege escalation flaw that leads to SYSTEM being exploited. “Power Dependency” functions as a component of Modern Standby, which was developed to let devices wake from sleep. ZDI said this shows how added features can also add to the potential attack surface.
- CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability: While ZDI said its odd to see a code execution in Project — it exists — and it’s being exploited in the wild. Here’s Microsoft’s guidance on how to block macros from running in Office products.
Adobe releases patches for Commerce, other products
Also on Patch Tuesday, Adobe addressed 71 CVEs in its products. ZDI said the largest of these updates was for Adobe Commerce, which includes several fixes for critical code execution bugs. ZDI said the patch for InDesign also corrects many code execution bugs, but they were most concerned with the update for Acrobat and Reader because maliciously crafted PDFs are often used by ransomware gangs.