Patch Tuesday—ten zero-days, seven Critical vulns, zero time to waste.

See These CVEs

What’s the craic? Jai Vijayan reports: Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update

“Under active exploit”
Seven of the bugs that Microsoft disclosed this week are rated as Critical. … Attackers are already actively exploiting six of the bugs and four others are public, including one for which Microsoft has no patch yet: … An elevation of privilege (EoP) bug in Windows Update Stack, tracked as CVE-2024-38202.
…
Two of the vulnerabilities under active attack enable remote code execution (RCE) on affected systems: … CVE-2024-38189, affects Microsoft Project [and] CVE-2024-38178, a memory corruption vulnerability in Windows Scripting. … Three of the zero-days in this update that attackers are actively exploiting — CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 — enable an attack to elevate privileges to system admin status. … ’38106 is especially serious because it exists in the Windows Kernel.
…
The other zero-day under active exploit is CVE-2024-38213, a flaw that allows attackers to bypass Windows Mark of the Web. [It] gives attackers a way to sneak malicious files and Web content into enterprise environments without having them marked as untrusted.

Wait. *Counts on fingers* isn’t that seven zero-days? Lawrence Abrams runs the numbers: Microsoft August 2024 Patch Tuesday

There’s a lot going on here. Brian Krebs cycles in: August 2024 Patch Push

“Security vulnerabilities”
This month’s bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities — meaning they are primarily useful for attackers when combined with other flaws or access.
…
Separately, Adobe today [addressed] at least 71 security vulnerabilities across a range of products including Adobe Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, and Substance 3D Sampler/Substance 3D Designer.

What about the ones not disclosed nor exploited yet? Dustin Childs picks a favorite Security Update Review:

We’re greeted with three different CVSS 9.8 bugs. … The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it’s wormable.

That sounds horrific. Good job it’s not in the wild. Not so fast, thinks zer0c00ler:

It probably takes nation states (and skilled individuals) a few hours to reverse the patch and build an exploit.

The ’38213 Mark Of The Web flaw got Richard 12’s attention:

Any patching issues in production? u/joshtaco emits zero unnecessary verbiage:

Ready to deploy to 8,000 servers/workstations. Work work.
…
All patches installed. Everything looks fine.

That’s a lot of work. But bradley13 solved the problem, thankfully: [You’re fired—Ed.]

Thankfully, I solved the problem by removing Windows a couple of years ago. It now lives in a rarely used VM.

And Finally:

“Toyota’s answer to increasing competition from the Nissan GT-R and Honda NSX.”

Previously in And Finally

You have been reading SB⁠ ⁠Blogwatch by Richi⁠ ⁠Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to⁠ ⁠@RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Kelly Sikkema (via Unsplash; leveled and cropped)