Patch Tuesday, Microsoft's monthly security update report, brought 90 CVEs, including some vulnerabilities that were being actively exploited.
Some vulnerabilities originated in Chromium, meaning both Microsoft Edge and Google Chrome may have been affected. Below are the most critical flaws and patches disclosed by Microsoft on August 13.
Six zero-day flaws had been exploited
Threat actors had already taken advantage of six zero-day exploits in particular:
- CVE-2024-38106: an elevation of privilege vulnerability in the Windows kernel.
- CVE-2024-38107: an elevation of privilege vulnerability in the Windows Power Dependency Coordinator.
- CVE-2024-38178: where remote code execution could have been possible if a user clicked a link using Edge in Internet Explorer mode.
- CVE-2024-38189: where opening a malicious Microsoft Office Project file under certain conditions could allow remote code execution.
- CVE-2024-38193: an elevation of privilege vulnerability that could grant an attacker SYSTEM privileges.
- CVE-2024-38213: where an attacker could bypass the SmartScreen protection that appears when a user downloads something from the Internet.
SEE: Organizations may want to evaluate how their privacy and data storage policies intersect with Microsoft's Copilot AI.
NIST labels two vulnerabilities as “critical”
Other notable items in this month's Patch Tuesday were those rated critical by the NIST National Vulnerability Database's Common Vulnerabilities Scoring System. These were:
- CVE-2024-38140: a remote code execution vulnerability that could occur if a program used a Pragmatic General Multicast port to listen.
- CVE-2024-38063: a remote code execution vulnerability enabled by repeatedly sending malicious IPv6 packets.
Another vulnerability, CVE-2024-38202, is notable because Microsoft has not yet released a patch for it. To mitigate this elevation of privilege vulnerability in Windows Update, Redmond recommends auditing user access to objects, operations, and files.
Complete steps to protect against this vulnerability can be found in the Recommended Actions section of the vulnerability listing.
A group of vulnerabilities originate in Chromium
Business users worldwide should use the most up-to-date versions of Edge and Google Chrome, as some of the vulnerabilities originate in the open-source Chromium software used in both browsers.
The relevant Chrome and Chromium vulnerabilities are as follows:
- MITRE CVE 7532: Possible out-of-bounds memory access in ANGLE, a graphics engine layer in Chrome.
- MITRE CVE 7533: a use-after-free exploit in Chrome on iOS.
- MITRE CVE 7534: Heap buffer overflow in design.
- MITRE CVE 7535: Bad implementation in V8.
- MITRE CVE 7536: a use-after-free exploit in WebAudio.
- MITRE CVE 7550: Type confusion in V8.
- MITRE CVE 38218: an HTML-based memory corruption vulnerability in Microsoft Edge.
- MITRE CVE 38219: a remote code execution vulnerability in Microsoft Edge.
Attackers could have potentially used these vulnerabilities to execute arbitrary code before they were patched.
Reminder: Keep your browsers and operating systems up to date
Most of the exploits mentioned in the patch report are covered by the August security updates, so the only action administrators need to take in response is to stay up to date.
Similarly, the mitigation for these Chromium flaws is to update Microsoft Edge or Google Chrome to the latest versions.
In Edge, check which version you’re running and check for updates by going to the (…) drop-down menu on the right-hand side. Select “Help” and “Feedback,” then select “Microsoft Edge.”
In Chrome, select “About Google Chrome” from the menu bar or select the three-dot menu (three vertical dots) at the top right of the window. From there, select “Help” and then “About Google Chrome.”
