Microsoft fixes 6 actively exploited zero-day vulnerabilities

Microsoft’s monthly security update report “Patch Tuesday” brought 90 CVEs, including some vulnerabilities that are being actively exploited.

Some of the vulnerabilities originate from Chromium, which means both Microsoft Edge and Google Chrome could be affected. Here are the most serious vulnerabilities and patches disclosed by Microsoft on August 13.

Six zero-day vulnerabilities have been exploited

Threat actors have already exploited six zero-day vulnerabilities:

• CVE-2024-38106: An elevation of privilege vulnerability in the Windows kernel.
• CVE-2024-38107: An elevation of privilege vulnerability in the Windows Power Dependency Coordinator.
• CVE-2024-38178: If a user clicks the link using Edge in Internet Explorer mode, a remote code execution scenario is possible.
• CVE-2024-38189: Opening a malicious Microsoft Office Project file under certain conditions could enable remote code execution.
• CVE-2024-38193: A privilege escalation vulnerability could allow an attacker to gain SYSTEM privileges.
• CVE-2024-38213: An attacker could bypass SmartScreen protections that appear when a user downloads content from the Internet.

See: Organizations may wish to evaluate how their privacy and data storage policies align with Microsoft’s Copilot AI.

NIST labels two vulnerabilities as “critical”

Other notable projects this month Patch Tuesday Rated as critical National Vulnerability Database’s Common Vulnerability Scoring System From NIST. These are:

• CVE-2024-38140: If a program uses the Pragmatic General Multicast port for listening, a remote code execution vulnerability may occur.
• CVE-2024-38063: A remote code execution vulnerability caused by sending repeated malicious IPv6 packets.

Another loophole, CVE-2024-38202which is notable because Microsoft has not yet released a patch for the vulnerability. To mitigate this privilege escalation vulnerability in Windows Update, Redmond recommends auditing user access to objects, operations, and files.

Complete protection steps for this vulnerability can be found at Suggested Action Section List of vulnerabilities.

A set of vulnerabilities exists in Chromium

Business users around the world should use the latest versions of Edge and Google Chrome, as some of the vulnerabilities stem from the Chromium open-source software used by these two browsers.

The relevant Chrome and Chromium vulnerabilities are as follows:

• MIT CVE 7532: The graphics engine layer ANGLE in Chrome may have out-of-bounds memory access.
• MITRE CVE 7533: A use-after-free vulnerability in Chrome on iOS.
• MITRE CVE 7534: Heap buffer overflow in layout.
• MIT CVE-7535: The implementation in V8 is inadequate.
• MITRE CVE 7536: Use-after-free vulnerability in WebAudio.
• MITRE CVE-7550: Type confusion in V8.
• MIT CVE 38218: HTML-based memory corruption vulnerability in Microsoft Edge.
• MITRE CVE 38219: A remote code execution vulnerability in Microsoft Edge.

Until patched, an attacker could potentially exploit these vulnerabilities to execute arbitrary code.

Reminder: Keep your browser and operating system up to date

Most of the vulnerabilities mentioned in the patch advisory have been addressed in the August security update, so the only action administrators need to take is to stay updated.

Again, mitigation for these Chromium vulnerabilities is to update Microsoft Edge or Google Chrome to the latest version.

In Edge, check which version you’re running and look for updates using the meatball menu (…) on the right. Select Help & Feedback, then select Microsoft Edge.

In Chrome, select “About Google Chrome” in the menu bar, or select the kebab menu (three vertical dots) in the upper-right corner of the window. From there, select “Help,” then select “About Google Chrome.”