Patch Tuesday August 2024: 6 Zero-Day Vulnerabilities Under Active Exploitation, and Windows Downgrade Attacks

Downgrade Attacks, a bundle of zero-days, and multiple vulnerabilities under Active Exploitation will add to the sense of urgency for Patch Tuesday this August. There’s lots to read-up on, so expect lots of links to extra reading. On top of Microsoft releasing fixes for an unusually high number of zero-days and vulnerabilities that are under Active Exploitation, there was also a demonstration of a new Downgrade Attack against Windows that was demonstrated at Black Hat 2024 and Def Con 32—where an NTLM hash attack was also demonstrated.

Microsoft Vulnerabilities

There are six zero-day vulnerabilities that are under Active Exploitation and three that have been publicly disclosed but are not under active exploitation in the wild as of publication. There is also a fourth publicly disclosed vulnerability, CVE-2024-38202 that while announced on August 7 has not yet received a published fix. The total number of vulnerabilities addressed this month is 89; this includes 9 rated as critical. If your teams prioritize based only on severity this month is a great a reminder that prioritizing which vulnerabilities to address based only on severity rating can leave an environment more exposed than you realize, the vulnerabilities under Active Exploitation are only rated as Important and Moderate.

CVE-2024-38178 Scripting Engine Memory Corruption is a vulnerability of note for the fact it dredges up Internet Explorer, or rather Internet Explorer mode for Microsoft Edge. Only requiring a user to click a link makes this trivial to exploit if Microsoft Edge is in Internet Explorer mode. While most environments have moved beyond a need for Internet Explorer there are many line of business applications and tools in use by SMBs that still require the use of this compatibility mode. As this was reported by the National Cyber Security Center (NCSC), Republic of Korea and AhnLab, it’s likely this is under Active Exploitation by nation state backed threat actors. Count this as one more piece of evidence as to why clients need to update business processes that rely on outdated and vulnerable legacy technologies.

CVE-2024-38199 Windows Line Printer Daemon (LPD) Service Remote Code Execution allows for an unauthenticated attacker to send a print task to a Windows Line Printer Daemon service and allow for remote code execution against the target system running the service. This publicly reported zero-day has not been detected in the wild as of publication. While LPD has been deprecated since Windows 2012 and is not enabled or installed by default, the chances of this being in your environment is low but you won’t know unless you check.

CVE-2024-38200 Microsoft Office Spoofing vulnerability is another in a long line of NTLM hash attacks that have surfaced this year. This vulnerability allows for exploitation via a link to an attacker-controlled website, upon clicking the attacker can record the NTLM hashes used during the authentication process. A Feature Flighting from July 30 this provided an alternative fix for this vulnerability in addition to KB5002625 and KB5002570 for Office 2016, as well as click-to-run updates for modern versions of Microsoft Office. If you would like to force an update of Microsoft Office products that support click-to-run update you can leverage items available in the Automation Cookbook:

• Download the Microsoft 365 Update With Version Check for N‑sight
• Download the Microsoft 365 Update With Version Check for N‑central

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Find out more

Windows OS-based Downgrade Attack

First demonstrated at Black Hat 2024 and Def Con 32, CVE-2024-21302 Windows Secure Kernel Mode Elevation of Privilege and CVE-2024-38202 are two of the zero-day vulnerabilities that exist in Windows systems that were leveraged by security researcher Alon Leviev with SafeBreach in their proof of concept for a Downgrade Attack with a tool named Windows Downdate. This Downgrade Attack allows for “Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components”. This can then place systems into an un-patched state against past vulnerabilities, making them susceptible to attacks leveraging old vulnerabilities.

Please read the research by Alon Leviev here for more details on the Windows Downdate tool and a demo of the attack.

Per Microsoft, “Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.”

While we await additional fixes from Microsoft they have provided recommended actions for an opt-in mitigation available at KB5042562: Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates for CVE-2024-21302. For CVE-2024-38202 there are recommended actions for reducing the risk of exploitation but no mitigation instructions pending a future security update.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd