Patch Tuesday Reveals 102 Security Flaws

Lilu Anderson
Photo: Finoracle.net

Microsoft's Patch Tuesday has disclosed a significant number of security vulnerabilities in its products, with a total of 102 bugs listed this month. Of these, six have already been exploited by attackers, and another four are publicly known but not yet exploited. The update also includes a dozen bugs from third-party vendors, underlining the importance of keeping software secure and up-to-date.

Six Actively Exploited Vulnerabilities

Let's delve into the six vulnerabilities currently under active exploitation:

  • CVE-2024-38189: This bug is a Microsoft Project Remote Code Execution (RCE) Vulnerability with a CVSS rating of 8.8. To exploit this flaw, several security features must be disabled, making it less likely to be exploited by accident.

  • CVE-2024-38178: A Scripting Engine Memory Corruption Vulnerability rated at 7.5 CVSS. The complexity of the attack is high, requiring the victim to use Edge in Internet Explorer Mode.

  • CVE-2024-38193: This involves a Windows Ancillary Function Driver issue leading to potential Elevation of Privilege, with a CVSS rating of 7.8. If exploited, it could allow an attacker to gain system privileges, effectively taking control of the system.

  • CVE-2024-38106: A Windows Kernel Elevation of Privilege Vulnerability with a CVSS of 7.0. Exploiting this requires the attacker to successfully navigate a race condition.

  • CVE-2024-38107: Concerns the Windows Power Dependency Coordinator, also an Elevation of Privilege Vulnerability rated 7.8. This could also result in attackers gaining system control.

  • CVE-2024-38213: A Security Feature Bypass Vulnerability in Windows Mark of the Web, with a CVSS rating of 6.5. It allows bypassing the SmartScreen security feature, potentially letting malicious files run without warning.

Publicly Known Vulnerabilities

Microsoft has listed the following vulnerabilities as publicly disclosed:

  • CVE-2024-38200: A Microsoft Office Spoofing Vulnerability with a CVSS rating of 6.5.

  • CVE-2024-38199: Involves the Windows Line Printer Daemon (LPD) Service, an RCE Vulnerability with a 9.8 CVSS rating, indicating the severity of its potential impact.

  • CVE-2024-21302: A Windows Secure Kernel Mode Elevation of Privilege Vulnerability rated 6.7 CVSS.

  • CVE-2024-38202: Concerns a Windows Update Stack Elevation of Privilege problem, with a 7.3 CVSS rating.

Updates from Other Vendors

Adobe has also been active in addressing security issues, fixing 71 CVEs across 11 product updates. Notably, InDesign addressed 13 CVEs, and Acrobat and Reader fixed 12, some of which were RCE vulnerabilities.

SAP released 25 security patches, including two HotNews notes. One significant note is CVE-2024-41730, a denial of service vulnerability in the SAP BusinessObjects Business Intelligence Platform with a 9.8 CVSS rating.

Intel has issued 43 security advisories, highlighting nine high-severity flaws. These include vulnerabilities in Intel Ethernet Controllers, Intel NUC BIOS Firmware, Intel Core Ultra Processor, and more.

Staying informed and updating software regularly is crucial in protecting systems from these evolving threats. Always ensure security patches are applied promptly to mitigate potential risks.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.