Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive Labs' Cyber Threat Research Team reviews these patch notes for the standout vulnerabilities you need to know about.
CVE-2024-38189 - 8.8 - Microsoft Project Remote Code Execution Vulnerability
One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38189 impacts Microsoft Office Project files. An attacker can create a malicious Office Project and send it to the victim either as an attachment, in an email, or as a link to a file hosted on a website. If a victim downloads and opens the attachment, the attacker is able to execute code on the target host. This is not dissimilar to many common phishing attacks where threat actors will name their weaponized documents to play on human social behaviors, socially engineering them into opening the file. Examples include fake invoices, internal salary documents, and even thematic lures for individuals in more targeted attacks.
In terms of mitigation, Microsoft suggests organizations “block macros from running in Office files from the Internet” policy will prevent the exploit from being successful. Organizations not able to patch this vulnerability quickly should review this policy and ensure it is enabled.
CVE-2024-38213 - 6.5 - Windows Mark of the Web Security Feature Bypass Vulnerability
One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38213 affects the Windows Mark of the web (MoTW) feature. This feature is designed as an extra layer of defense-in-depth by “marking” files that are downloaded from the internet as untrusted. This is commonly seen as the SmartScreen “Windows protected your PC” popup that can be seen when opening files that contain this “Mark of the Web”. This vulnerability is not exploitable on its own and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites.
CVE-2024-38178 - 7.5 - Scripting Engine Memory Corruption Vulnerability
One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38178 affects the Windows Edge browser when it is operating in “Internet Explorer Mode.” While this is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration.
Internet Explorer Mode is used where old websites or applications were built specifically for Internet Explorer and are not supported by modern HTML5 browsers like Chromium-based browsers. For these sites and applications, organizations or users can enable this legacy mode to maintain compatibility with these applications.
If the Edge browser is in a vulnerable configuration then all an attacker needs to do is convince a user to click on a specially crafted URL or in some way redirect them to a vulnerable site. Doing so would allow a remote attacker to gain code execution on the victim machine allowing them to run commands, deploy new malware or other living on the land techniques to avoid detection while they enumerate the host and network.
CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 Elevation of Privilege Vulnerabilities
Three of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” are local privilege escalation vulnerabilities. Tracked as CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 they all impact different components of the core operations system. The Windows Kernel, Power Management Features, and the Ancillary Function Driver for WinSock, respectively.
As a local priv-esc vulnerability, an attacker would already need to have gained code execution on the victim machine, either through lateral movement or another exploit for example a malicious document. An attacker able to exploit this vulnerability would gain “SYSTEM” privileges on the host. This is the highest level of access for the local machine and would enable an attacker to perform other actions like disabling security tools or dumping credentials to move laterally across the network or gain domain-level access.
Immerser