Microsoft warned Tuesday of six actively exploited Windows security defects, highlighting ongoing struggles with zero-day attacks across its flagship operating system.
Redmond’s security response team pushed out documentation for almost 90 vulnerabilities across Windows and OS components and raised eyebrows when it marked a half-dozen flaws in the actively exploited category.
Here’s the raw data on the six newly patched zero-days:
CVE-2024-38178 — A memory corruption vulnerability in the Windows Scripting Engine allows remote code execution attacks if an authenticated client is tricked into clicking a link in order for an unauthenticated attacker to initiate remote code execution. According to Microsoft, successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. CVSS 7.5/10.
This zero-day was reported by Ahn Lab and the South Korea’s National Cyber Security Center, suggesting it was used in a nation-state APT compromise. Microsoft did not release IOCs (indicators of compromise) or any other data to help defenders hunt for signs of infections.
CVE-2024-38189 — A remote code execution flaw in Microsoft Project is being exploited via maliciously rigged Microsoft Office Project files on a system where the ‘Block macros from running in Office files from the Internet policy’ is disabled and ‘VBA Macro Notification Settings’ are not enabled allowing the attacker to perform remote code execution. CVSS 8.8/10.
CVE-2024-38107 — A privilege escalation flaw in the Windows Power Dependency Coordinator is rated “important” with a CVSS severity score of 7.8/10. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said, without providing any IOCs or additional exploit telemetry.
CVE-2024-38106 – Exploitation has been detected targeting this Windows kernel elevation of privilege flaw that carries a CVSS severity score of 7.0/10. “Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” This zero-day was reported anonymously to Microsoft.
CVE-2024-38213 — Microsoft describes this as a Windows Mark of the Web security feature bypass being exploited in active attacks. “An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.”
CVE-2024-38193 – An elevation of privilege security defect in the Windows Ancillary Function Driver for WinSock is being exploited in the wild. Technical details and IOCs are not available. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.
Microsoft also urged Windows sysadmins to pay urgent attention to a batch of critical-severity issues that expose users to remote code execution, privilege escalation, cross-site scripting and security feature bypass attacks.
These include a major flaw in the Windows Reliable Multicast Transport Driver (RMCAST) that brings remote code execution risks (CVSS 9.8/10); a severe Windows TCP/IP remote code execution flaw with a CVSS severity score of 9.8/10; two separate remote code execution issues in Windows Network Virtualization; and an information disclosure issue in the Azure Health Bot (CVSS 9.1).
Related: Windows Update Flaws Allow Undetectable Downgrade Attacks
Related: Adobe Calls Attention to Massive Batch of Code Execution Flaws
Related: Microsoft Warns of OpenVPN Vulnerabilities, Potential for Exploit Chains
Related: Recent Adobe Commerce Vulnerability Exploited in Wild
Related: Adobe Issues Critical Product Patches, Warns of Code Execution Risks