Author
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases. † Indicates further administrative actions are required to fully address the vulnerability. You may have noticed I didn’t talk about the sixth bug under active attack. That’s because the ZDI researcher who found it, Peter Girnus, has a full blog on it coming out this Thursday. Stay tuned for all the details.Moving on to the other code execution bugs, we’re greeted with three different CVSS 9.8 bugs right off the top. The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it’s wormable. You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on just about everything. It’s a similar attack scenario for the Reliable Multicast Transport Driver (RMCAST), but in this case, you need a service listening as a receiver on PGM to be vulnerable. That’s a bit less likely. The Line Printer Daemon (LPD) has a bug with a similar consequence, but LPD isn’t installed by default (and shouldn’t be reachable from the Internet). That’s why it’s listed as Important rather than Critical despite its CVSS 9.8 rating. However, if you are running LPD, definitely treat this as a Critical update.Looking at the other code execution bugs, thankfully most are more mundane. Office features heavily with typical open-and-own bugs. One that does stand out is the patch for Outlook. The Preview Pane is an attack vector; however, the attacker needs access to the target Outlook account for exploitation. Two bugs in the Network Virtualization component could cause some grief. Microsoft states, “By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.” If you’re using virtualization, definitely test and deploy that one quickly. The bug in the Mobile Broadband Driver requires physical access. There are also a lot of RCE bugs in routing protocols, but many of these are older protocols where exploitation would be highly unlikely. I would also pay attention to the SmartScreen bug, as that has proven to be a popular target for exploitation. Finally, the bug in Azure CycleCloud could allow an authenticated attacker to acquire the storage account credentials and runtime data. These could then be used to create a malicious script to get remote code execution on any cluster in the CycleCloud instance.There are 36 fixes for Elevation of Privilege (EoP) bugs in this release including those already. Mentioned. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are also a couple of cloud-based bugs, like the one in Azure Health Bot, that require no action and are just being documented publicly. One of the kernel-mode driver bugs could be used for a sandbox escape. The bug in the Azure Stack Hub would involve some social engineering as the attacker would need to send a malicious JSON file to a target, but NOT have the target open and review it. Seems unlikely. The big news for privilege escalation bugs comes from Black Hat and DEFCON as a researcher presented how to downgrade certain files in the OS to a vulnerable state and then exploit them. We’ve seen downgrade attacks in other products, but it’s certainly interesting research to find one in the Secure Kernel Mode component. The researcher also demonstrated a downgrade attack in the Update Stack as well. While the research is public, there are currently no known exploits targeting these vulnerabilities.Speaking of bugs disclosed during Hacker Summer Camp, one of the five Spoofing fixes was actually documented back on August 8. It’s listed as Office Spoofing, but it results in NTLM relaying. There’s still no official fix for this, but Microsoft states people are not affected, “on all in-support versions of Microsoft Office and Microsoft 365,” due to a change in Feature Flighting. I would still test and update quickly once a patch is available. The bug in Azure Stack Hub is a simple cross-site scripting (XSS) bug. The bug in Teams for iOS allows attacks to appear as someone else within Teams. You’ll need to download an updated client to resolve this one. The App Installer bug could trick users into installing software they didn’t intend to install. There are no real details provided for the spoofing bug in DNS, but these usually result in the DNS server providing false results to queries.There are only nine information disclosure bugs receiving fixes this month and most only result in info leaks consisting of unspecified memory contents. There are a few exceptions. The bug in RRAS could disclose the ever-ethereal “sensitive information”. The bug in Copilot could also disclose sensitive info, but this has already been corrected and is only being documented. The bug in .NET and Visual Studio could disclose targeted emails, but the attack scenario isn’t clear. The bug in Edge (Chromium-based) is more interesting. An attacker could expose Edge WebUI permissions. This would allow them to access target data from microphones and cameras.The August release includes fixes for a handful of Denial-of-Service (DoS) bugs. However, Microsoft again provides no additional information about these vulnerabilities. There’s also one bug in the ill-defined “Tampering” category. It requires a user to open a specially crafted file, yet it also lists the attack vector as Network. Maybe the file needs to be on a shared drive? Microsoft also does not provide the result of the tampering. It’s possible that compressed files could be crafted to evade detection from EDR/XDR. We’ve seen similar tactics used by ransomware in the past, however, without further details from Microsoft, this is all just speculation.Finally, the August release is rounded out by two XSS in Microsoft Dynamics (on-premises).There are no new advisories in this month’s release, but there was an update to the servicing stack.Looking AheadThe next Patch Tuesday of 2024 will be on September 10, and I’ll return with details and pumpkin-spiced patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
