Microsoft today released updates to fix at least 90 security vulnerabilities Windows and related software, incl the six biggest mistakes of zero days which are already being exploited by attackers.
Photo: Shutterstock.
This month’s bundle of update joy from Redmond also includes security hole fixes The office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Groups, Secure Boot, and yes Windows itself. Of the six zero-day vulnerabilities that Microsoft mentioned this month, part is a vulnerability to growing property rights — meaning it’s more useful to attackers when combined with other vulnerabilities or access.
CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 all allow an attacker to gain SYSTEM-level privileges on a vulnerable machine, although the vulnerability resides in different parts of the Windows operating system.
Microsoft’s advisory includes little information about the last two privilege escalation flaws, without noting that they are being exploited. Microsoft says that CVE-2024-38106 exists in the Windows Kernel and is being actively exploited, but that it has a “sophisticated attack,” meaning it can be tricky for malware or hackers to reliably exploit.
“Microsoft rates sophisticated exploits as high due to an attacker needing to win the race,” Trend Micro’s The ZeroDay Initiative (ZDI) noted. “However, some races are easier to run than others. It’s times like these that CVSS can go astray. Race conditions lead to high difficulty in the CVSS effect, but with wild attacks, it is clear that this bug is easily exploitable. “
Another zero-day this month is CVE-2024-38178, a remote code execution bug that exists in built-ins. Windows Edge the browser is running in “Internet Explorer Mode.” IE mode is not enabled by default in Edge, but it can be enabled to work with older websites or applications that are not supported by modern Chromium-based browsers.
“While this is not the default mode for most users, this active exploit suggests that there are times when an attacker can set this or identify an organization (or user) that has this setting,” he wrote. Kev Breensenior director of threat research at Immersive Labs.
CVE-2024-38213 is a zero-day flaw that allows malware to bypass “Web Marking,” a security feature in Windows that marks files downloaded from the Internet as untrustworthy (this Windows Smartscreen feature is responsible for “protect Windows. PC popup” that appears when you open files downloaded from the web).
“This vulnerability is not exploitable on its own and is often seen as part of a series of exploits, for example, modifying a malicious document or exe file to include this pass before emailing the file or distributing it to compromised websites,” said Breen.
The last zero day this month is CVE-2024-38189, a remote code execution bug Microsoft Project. However, Microsoft and several security companies point out that this vulnerability only applies to customers who have already disabled notifications about the security risks of using VBA Macros in Microsoft Project (not a very good idea, as malware has a long history of hiding inside Office Macros cruel. ).
Separately, Adobe today issued 11 security advisories addressing at least 71 security vulnerabilities in multiple products, including Adobe Illustrator, Size, Photoshop, InDesign, Acrobat again Student, The bridge, 3D Stager objects, Commercial, InCopyagain 3D Designer for Substance 3D Sampler/Substance 3D. Adobe says it is not aware of any active exploits against any of the bugs it fixed this week.
It’s a good idea for Windows users to keep up to date with security updates from Microsoft, which can pile up quickly otherwise. That doesn’t mean you have to include them in Patch Tuesday every month. Indeed, waiting a day or three before updating is a reasonable answer, as sometimes updates go wrong and usually within a few days Microsoft has fixed any problems with its patches. It is also wise to back up your data and/or an image of your Windows drive before installing new updates.
For a more detailed description of the bugs that Microsoft is talking about today, check out the SANS Internet Storm Center list. For those administrators who are responsible for maintaining large areas of Windows, it pays to keep an eye on Askwoody.com, which often points out where certain Microsoft updates cause the most problems for users.
Source link