Microsoft's Patch Tuesday has disclosed a significant number of security vulnerabilities in its products, with a total of 102 bugs listed this month. Of these, six have already been exploited by attackers, and another four are publicly known but not yet exploited. The update also includes a dozen bugs from third-party vendors, underlining the importance of keeping software secure and up-to-date.
Six Actively Exploited Vulnerabilities
Let's delve into the six vulnerabilities currently under active exploitation:
CVE-2024-38189: This bug is a Microsoft Project Remote Code Execution (RCE) Vulnerability with a CVSS rating of 8.8. To exploit this flaw, several security features must be disabled, making it less likely to be exploited by accident.
CVE-2024-38178: A Scripting Engine Memory Corruption Vulnerability rated at 7.5 CVSS. The complexity of the attack is high, requiring the victim to use Edge in Internet Explorer Mode.
CVE-2024-38193: This involves a Windows Ancillary Function Driver issue leading to potential Elevation of Privilege, with a CVSS rating of 7.8. If exploited, it could allow an attacker to gain system privileges, effectively taking control of the system.
CVE-2024-38106: A Windows Kernel Elevation of Privilege Vulnerability with a CVSS of 7.0. Exploiting this requires the attacker to successfully navigate a race condition.
CVE-2024-38107: Concerns the Windows Power Dependency Coordinator, also an Elevation of Privilege Vulnerability rated 7.8. This could also result in attackers gaining system control.
CVE-2024-38213: A Security Feature Bypass Vulnerability in Windows Mark of the Web, with a CVSS rating of 6.5. It allows bypassing the SmartScreen security feature, potentially letting malicious files run without warning.
Publicly Known Vulnerabilities
Microsoft has listed the following vulnerabilities as publicly disclosed:
CVE-2024-38200: A Microsoft Office Spoofing Vulnerability with a CVSS rating of 6.5.
CVE-2024-38199: Involves the Windows Line Printer Daemon (LPD) Service, an RCE Vulnerability with a 9.8 CVSS rating, indicating the severity of its potential impact.
CVE-2024-21302: A Windows Secure Kernel Mode Elevation of Privilege Vulnerability rated 6.7 CVSS.
- CVE-2024-38202: Concerns a Windows Update Stack Elevation of Privilege problem, with a 7.3 CVSS rating.
Updates from Other Vendors
Adobe has also been active in addressing security issues, fixing 71 CVEs across 11 product updates. Notably, InDesign addressed 13 CVEs, and Acrobat and Reader fixed 12, some of which were RCE vulnerabilities.
SAP released 25 security patches, including two HotNews notes. One significant note is CVE-2024-41730, a denial of service vulnerability in the SAP BusinessObjects Business Intelligence Platform with a 9.8 CVSS rating.
Intel has issued 43 security advisories, highlighting nine high-severity flaws. These include vulnerabilities in Intel Ethernet Controllers, Intel NUC BIOS Firmware, Intel Core Ultra Processor, and more.
Staying informed and updating software regularly is crucial in protecting systems from these evolving threats. Always ensure security patches are applied promptly to mitigate potential risks.
