Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild.
Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month.
The Patch Tuesday updates are notable for addressing six actively exploited zero-days -
- CVE-2024-38189 (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability
- CVE-2024-38178 (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability
- CVE-2024-38193 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2024-38106 (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability
- CVE-2024-38107 (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
- CVE-2024-38213 (CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38213, which allows attackers to bypass SmartScreen protections, requires an attacker to send the user a malicious file and convince them to open it. Credited with discovering and reporting the flaw is Trend Micro's Peter Girnus, suggesting that it could be a bypass for CVE-2024-21412 or CVE-2023-36025, which were previously exploited by DarkGate malware operators.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaws to its Known Exploited Vulnerabilities (KEV) catalog, which obligates federal agencies to apply the fixes by September 3, 2024.
Four of the below CVEs are listed as publicly known -
- CVE-2024-38200 (CVSS score: 7.5) - Microsoft Office Spoofing Vulnerability
- CVE-2024-38199 (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
- CVE-2024-21302 (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability
- CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability
"An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email," Scott Caveza, staff research engineer at Tenable, said about CVE-2024-38200.
"Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker's foothold into an organization."
The update also addresses a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), which allows an attacker to gain SYSTEM privileges. "Successful exploitation of this vulnerability requires an attacker to win a race condition," Microsoft said.
That said, Microsoft has yet to release updates for CVE-2024-38202 and CVE-2024-21302, which could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.
The disclosure follows a report from Fortra about a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that could cause a system crash, resulting in Blue Screen of Death (BSoD).
When reached for comment, a Microsoft spokesperson told The Hacker News that the issue "does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update."
"The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user," the spokesperson added.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Adobe
- AMD
- Apple
- Arm
- Bosch
- Broadcom (including VMware)
- Cisco
- Citrix
- D-Link
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Android
- Google Chrome
- Google Cloud
- Google Wear OS
- HMS Networks
- HP
- HP Enterprise (including Aruba Networks)
- IBM
- Intel
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- MongoDB
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- Progress Software
- Qualcomm
- Rockwell Automation
- Samsung
- SAP
- Schneider Electric
- Siemens
- SonicWall
- Splunk
- Spring Framework
- T-Head
- Trend Micro
- Zoom, and
- Zyxel
Delta vs. CrowdStrike: The duties vendors owe to customers – or do they?
Critical Flaw in Ivanti Virtual Traffic Manager Could Allow Rogue Admin Access
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
HighCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-1118 Insufficient Documentation of Error Handling Techniques
Free online web security scanner
