Today’s VERT Alert addresses Microsoft’s August 2024 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1119 as soon as coverage is completed.
In-The-Wild & Disclosed CVEs
CVE-2024-38178 describes a vulnerability in the Microsoft Edge scripting engine when run in Internet Explorer Mode. On top of requiring Edge be running in Internet Explorer Mode, an attacker must convince a user to click on a link to load the malicious code. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Ancillary Function Driver for WinSock could allow attackers to gain SYSTEM privileges. Microsoft has reported this vulnerability as Exploitation Detected.
Windows uses the Mark of the Web (MoTW) to identify files downloaded from the Internet. This is done by setting the NTFS Zone.Identifier alternate Data Stream (ADS). This mark is used to notify users via SmartScreen that they are about to run a potentially dangerous file. This vulnerability allows malicious files to bypass SmartScreen. Microsoft has reported this vulnerability as Exploitation Detected.
This vulnerability, a privilege escalation in the Windows Kernel, requires that the attacker win a race condition to successfully exploit it. Successfully winning the race condition would allow the attacker to gain SYSTEM level access. Microsoft has reported this vulnerability as Exploitation Detected.
CVE-2024-38107 is a vulnerability in the Windows Power Dependency Coordinator, which is responsible for managing power usage including waking from sleep mode. This vulnerability, which has seen active exploitation, could grant an attacker SYSTEM privileges. Microsoft has reported this vulnerability as Exploitation Detected.
This vulnerability in Microsoft Project, which is seeing active exploitation, is only exploitable on systems where users have disabled the mitigation protections that should prevent exploitation. Microsoft has suggested that if you did disable mitigations, that you should at least enable VBA Macro notifications. Microsoft has reported this vulnerability as Exploitation Detected.
An unauthenticated attacker could send a print task across the network to the Windows Line Printer Daemon (LPD), triggering code execution on the server. The Windows LPD has been deprecated since Windows Server 2012 and is disabled by default, which mitigates the risk of this vulnerability. Admins should confirm that they have not enabled Windows LPD and either disable it immediately or install today’s update if they have. Microsoft has reported this vulnerability as Exploitation Less Likely.
While updates for CVE-2024-38200 were released as part of the August Patch Tuesday drop, Microsoft had already enabled a fix for this issue on July 30, meaning that all users of supported versions of Office were protected. Microsoft still recommends installing the August patch to be completely protected. Microsoft has reported this vulnerability as Exploitation Less Likely.
This vulnerability, released at BlackHat, allows attackers to perform a downgrade attack against Windows system files and has gotten quite a bit of press attention. Successful exploitation against Windows systems supporting Virtualization Based Security (VBS) allows the attacker to reintroduce vulnerabilities, circumvent VBS security, and exfiltrated data protected by VBS. Microsoft has released an opt-in mitigation in the August security update. Before opting in to the mitigation, it is recommended that administrators review the associated KB to understand the risks associated with applying this mitigation. Microsoft has reported this vulnerability as Exploitation Less Likely.
This vulnerability was disclosed alongside CVE-2024-21302. This allows a low privilege user to reintroduce vulnerabilities or bypass some VBS features. To successfully attack this, the low privilege user must convince someone with appropriate permissions to perform a system restore, which will trigger this vulnerability. Currently, no updates or mitigations are available. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Windows Secure Boot | 3 | CVE-2022-2601, CVE-2023-40547, CVE-2022-3775 |
| Azure Stack | 2 | CVE-2024-38108, CVE-2024-38201 |
| Microsoft Bluetooth Driver | 1 | CVE-2024-38123 |
| Windows Network Virtualization | 2 | CVE-2024-38159, CVE-2024-38160 |
| Windows Mobile Broadband | 1 | CVE-2024-38161 |
| .NET and Visual Studio | 2 | CVE-2024-38167, CVE-2024-38168 |
| Microsoft Office Excel | 2 | CVE-2024-38172, CVE-2024-38170 |
| Windows Scripting | 1 | CVE-2024-38178 |
| Windows Kernel-Mode Drivers | 5 | CVE-2024-38184, CVE-2024-38191, CVE-2024-38185, CVE-2024-38186, CVE-2024-38187 |
| Windows Ancillary Function Driver for WinSock | 2 | CVE-2024-38193, CVE-2024-38141 |
| Windows Common Log File System Driver | 1 | CVE-2024-38196 |
| Microsoft Teams | 1 | CVE-2024-38197 |
| Windows Print Spooler Components | 1 | CVE-2024-38198 |
| Line Printer Daemon Service (LPD) | 1 | CVE-2024-38199 |
| Microsoft Edge (Chromium-based) | 12 | CVE-2024-6990, CVE-2024-7256, CVE-2024-7255, CVE-2024-7536, CVE-2024-7535, CVE-2024-7550, CVE-2024-7532, CVE-2024-7534, CVE-2024-7533, CVE-2024-38218, CVE-2024-38219, CVE-2024-38222 |
| Windows Mark of the Web (MOTW) | 1 | CVE-2024-38213 |
| Windows Secure Kernel Mode | 2 | CVE-2024-21302, CVE-2024-38142 |
| Microsoft Office | 2 | CVE-2024-38084, CVE-2024-38200 |
| Windows TCP/IP | 1 | CVE-2024-38063 |
| Azure Connected Machine Agent | 2 | CVE-2024-38098, CVE-2024-38162 |
| Windows Kernel | 5 | CVE-2024-38106, CVE-2024-38127, CVE-2024-38133, CVE-2024-38151, CVE-2024-38153 |
| Windows Power Dependency Coordinator | 1 | CVE-2024-38107 |
| Windows Kerberos | 1 | CVE-2024-29995 |
| Windows IP Routing Management Snapin | 3 | CVE-2024-38114, CVE-2024-38115, CVE-2024-38116 |
| Windows NTFS | 1 | CVE-2024-38117 |
| Microsoft Local Security Authority Server (lsasrv) | 2 | CVE-2024-38118, CVE-2024-38122 |
| Windows Routing and Remote Access Service (RRAS) | 6 | CVE-2024-38121, CVE-2024-38128, CVE-2024-38130, CVE-2024-38154, CVE-2024-38120, CVE-2024-38214 |
| Microsoft Streaming Service | 3 | CVE-2024-38125, CVE-2024-38134, CVE-2024-38144 |
| Windows Network Address Translation (NAT) | 2 | CVE-2024-38126, CVE-2024-38132 |
| Windows Clipboard Virtual Channel Extension | 1 | CVE-2024-38131 |
| Windows NT OS Kernel | 1 | CVE-2024-38135 |
| Windows Resource Manager | 2 | CVE-2024-38136, CVE-2024-38137 |
| Windows Deployment Services | 1 | CVE-2024-38138 |
| Reliable Multicast Transport Driver (RMCAST) | 1 | CVE-2024-38140 |
| Windows WLAN Auto Config Service | 1 | CVE-2024-38143 |
| Windows Layer-2 Bridge Network Driver | 2 | CVE-2024-38145, CVE-2024-38146 |
| Windows DWM Core Library | 2 | CVE-2024-38147, CVE-2024-38150 |
| Windows Transport Security Layer (TLS) | 1 | CVE-2024-38148 |
| Microsoft WDAC OLE DB provider for SQL | 1 | CVE-2024-38152 |
| Windows Security Center | 1 | CVE-2024-38155 |
| Azure IoT SDK | 2 | CVE-2024-38157, CVE-2024-38158 |
| Windows Compressed Folder | 1 | CVE-2024-38165 |
| Microsoft Office Visio | 1 | CVE-2024-38169 |
| Microsoft Office PowerPoint | 1 | CVE-2024-38171 |
| Microsoft Office Outlook | 1 | CVE-2024-38173 |
| Windows App Installer | 1 | CVE-2024-38177 |
| Windows SmartScreen | 1 | CVE-2024-38180 |
| Microsoft Office Project | 1 | CVE-2024-38189 |
| Azure CycleCloud | 1 | CVE-2024-38195 |
| Windows Update Stack | 2 | CVE-2024-38163, CVE-2024-38202 |
| Microsoft Dynamics | 2 | CVE-2024-38211, CVE-2024-38166 |
| Windows Cloud Files Mini Filter Driver | 1 | CVE-2024-38215 |
| Microsoft Copilot Studio | 1 | CVE-2024-38206 |
| Windows Initial Machine Configuration | 1 | CVE-2024-38223 |
| Azure Health Bot | 1 | CVE-2024-38109 |
| Microsoft Windows DNS | 1 | CVE-2024-37968 |
| Mariner | 84 | CVE-2022-36648, CVE-2007-4559, CVE-2019-9674, CVE-2019-3833, CVE-2024-6655, CVE-2024-2466, CVE-2024-39331, CVE-2021-43565, CVE-2024-39277, CVE-2024-38780, CVE-2024-39292, CVE-2024-39482, CVE-2024-39484, CVE-2024-39495, CVE-2024-40902, CVE-2024-41110, CVE-2024-37298, CVE-2024-0397, CVE-2021-3929, CVE-2021-4158, CVE-2021-4206, CVE-2021-4207, CVE-2022-26353, CVE-2022-35414, CVE-2023-3354, CVE-2022-3872, CVE-2022-4144, CVE-2023-45288, CVE-2024-38571, CVE-2024-42077, CVE-2023-29404, CVE-2023-29402, CVE-2024-39473, CVE-2024-26900, CVE-2024-39474, CVE-2024-42073, CVE-2024-42074, CVE-2024-42075, CVE-2024-42078, CVE-2017-18207, CVE-2019-3816, CVE-2019-20907, CVE-2021-23336, CVE-2017-17522, CVE-2024-0853, CVE-2024-2004, CVE-2024-2398, CVE-2024-38662, CVE-2024-36288, CVE-2024-39480, CVE-2024-39476, CVE-2024-39475, CVE-2024-37371, CVE-2024-26461, CVE-2024-37370, CVE-2024-6104, CVE-2024-6257, CVE-2021-3750, CVE-2022-0358, CVE-2022-26354, CVE-2022-3165, CVE-2022-2962, CVE-2024-23722, CVE-2024-40898, CVE-2024-38583, CVE-2024-39493, CVE-2024-42068, CVE-2024-39489, CVE-2024-42070, CVE-2024-42076, CVE-2024-42080, CVE-2024-38428, CVE-2024-42082, CVE-2022-41722, CVE-2022-29526, CVE-2022-48788, CVE-2023-52340, CVE-2022-48841, CVE-2024-39485, CVE-2024-39483, CVE-2024-42071, CVE-2024-42072, CVE-2024-42237, CVE-2024-42083 |
Other Information
At the time of publication, there were no new advisories included with the August Security Guidance.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
