August Patch Tuesday goes big – Sophos News

Microsoft’s August 2024 Patch Tuesday launch was, in a single sense, a respite from July’s 138-CVE torrent of fixes, with simply 85 CVEs addressed in the principle launch. Nevertheless, with over two dozen advisories, quite a lot of “informational” notices regarding materials launched in June and July, two high-profile points for which the fixes are nonetheless a piece in progress, and over 85 Linux-related CVEs coated within the launch, directors could discover their patch prioritization particularly complicated this month.

At patch time, 5 of the problems addressed are identified to be beneath exploit within the wild. Three extra are publicly disclosed. Microsoft assesses that 11 CVEs, all in Home windows, are by the corporate’s estimation extra prone to be exploited within the subsequent 30 days. 9 of this month’s points are amenable to detection by Sophos protections, and we embrace info on these in a desk under.

Along with these patches, the discharge consists of advisory info on 12 patches from Adobe, 9 for Edge by way of Chrome (along with three Edge patches from Microsoft), and the recurrently launched servicing stack replace (ADV990001). The corporate additionally offered info on 5 CVEs addressed earlier this summer season however not introduced of their respective months (one in June, 4 in July). We are going to listing these in Appendix D under; those that have already utilized the patches for these months are already protected and needn’t apply them once more. (It needs to be famous that one problem patched in June, CVE-2024-38213, is beneath energetic assault within the wild – an excellent argument for making use of patches as quickly as doable after launch.) Microsoft additionally took pains this month to flag three different CVEs for which fixes have already gone out, however which might be included in Patch Tuesday info for transparency’s sake; we listing these in Appendix D as nicely. We’re as at all times together with on the finish of this put up extra appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

Lastly, this month’s launch consists of a big cohort of CVEs associated to CBL-Mariner, or in some instances to each Mariner and Azure Linux. (Mariner was renamed Azure Linux earlier this 12 months, however the info offered by Microsoft on these CVEs differentiates between the 2.) The CVEs come from a timespan from 2007 to 2024; the CVSS base scores vary from 3.2 to a “good” 10.  These CVEs should not included within the knowledge in the principle a part of this put up, however we’ve got listed all 84 CVEs in Appendix E on the finish of this text for reference. Two extra Mariner / Azure Linux CVEs additionally contact Home windows, and people two are included within the statistics in the principle article in addition to in Appendix E’s listing.

The information in the principle a part of this put up displays solely the 85 CVEs within the non-Mariner, non-advisory portion of the discharge.

By the numbers

• Whole CVEs: 85
• Whole Edge / Chrome advisory points coated in replace: 9 (plus 3 non-advisory Edge points)
• Whole non-Edge Microsoft advisory points coated in replace: 9
• Whole Adobe points coated in replace: 12
• Publicly disclosed: 3
• Exploited: 5
• Severity
  • Vital: 6
  • Essential: 77
  • Average: 2
• Impression
  • Elevation of Privilege: 32
  • Distant Code Execution: 31
  • Info Disclosure: 8
  • Denial of Service: 6
  • Spoofing: 6
  • Safety Function Bypass: 2

Determine 1: The six critical-severity vulnerabilities addressed in August’s Patch Tuesday launch embrace the second this 12 months involving safety function bypass. (This chart doesn’t signify the Mariner-related points mentioned elsewhere on this article)

Merchandise

• Home windows: 62
• Azure: 7
• 365 Apps for Enterprise: 7
• Workplace: 7
• Edge: 3 (plus 9 advisories by way of Chrome)
• .NET: 2
• Azure Linux: 2
• CBL-Mariner: 2
• Visible Studio: 2
• App Installer: 1
• Dynamics 365: 1
• OfficePlus: 1
• Outlook: 1
• PowerPoint: 1
• Undertaking: 1
• Groups: 1

As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on.

Determine 2: All kinds of product households are affected by August’s patches; no less than one, App Installer, is so obscure that Microsoft has included a hyperlink to info on it within the launch itself, together with info on updating it by way of winget. Nonetheless, Home windows as ever guidelines the roost

Notable August updates

Along with the problems mentioned above, quite a lot of particular objects advantage consideration.

CVE-2024-21302 – Home windows Safe Kernel Mode Elevation of Privilege Vulnerability

CVE-2024-38202 – Home windows Replace Stack Elevation of Privilege Vulnerability

These two Essential-severity issued had been debuted by researcher Alon Leviev final week at Black Hat final week after a protracted responsible-disclosure course of. Microsoft has been engaged on the answer for six months, but it surely wants a bit of extra time to untangle this complicated problem with Virtualization-Based mostly Safety (VBS). For now, Microsoft is publishing mitigation info for each CVE-2024-21302 and CVE-2024-38202 on their web site.

CVE-2024-38063 – Home windows TCP/IP Distant Code Execution Vulnerability

There are three CVEs on this launch with a 9.8 CVSS base rating, however solely this one has the excellence of additionally being, in Microsoft’s estimation, extra prone to be exploited within the subsequent thirty days. That’s unlucky, as a result of this critical-severity RCE bug requires neither privileges nor person interplay. An attacker might exploit this problem by repeatedly sending IPv6 packets, with specifically crafted IPv6 packets combined in, to a Home windows machine with IPv6 enabled. (Machines which have IPv6 disabled wouldn’t be affected by this assault.) Sophos has launched protections (Exp/2438063-A) for this problem, as famous within the desk under.

CVE-2024-38213 – Home windows Mark of the Internet Safety Function Bypass Vulnerability

This problem is without doubt one of the 5 famous above that was truly patched months in the past (on this case, June 2024). Those that have utilized the patches launched in June are protected; those that haven’t utilized the patches ought to accomplish that, as the difficulty is presently beneath energetic assault.

[42 CVEs] Home windows 11 24H2 patches, already

Despite the fact that Home windows 11 24H2 just isn’t but typically launch, slightly below half of the problems addressed this month apply to that working system. Customers of the brand new Copilot+ PCs who don’t ingest their patches robotically ought to remember to replace their gadgets; those that do ought to have taken all of the related patches with the newest cumulative replace, which elevates these gadgets to Construct 26100.1457.

Determine 3: With a complete of 659 CVEs addressed in Patch Tuesday releases to this point in 2024, Microsoft’s coping with a far heavier quantity than they had been at this level in 2023 (491 patches), however a bit lower than they dealt with in 2022 (690 patches). That stated, this desk doesn’t embrace the 84 Mariner-released CVEs mentioned elsewhere on this put up

Sophos protections

As you possibly can each month, in the event you don’t need to wait in your system to drag down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

This can be a listing of August patches sorted by influence, then sub-sorted by severity. Every listing is additional organized by CVE.

Elevation of Privilege (32 CVEs)

Distant Code Execution (31 CVEs)

Info Disclosure (8 CVEs)

Denial of Service (6 CVEs)

Spoofing (6 CVEs)

Safety Function Bypass (2 CVEs)

Appendix B: Exploitability

This can be a listing of the August CVEs judged by Microsoft to be both beneath exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The listing is organized by CVE. This desk doesn’t embrace CVE-2024-38213, which was launched in June.

Appendix C: Merchandise Affected

This can be a listing of August’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household.

Home windows (62 CVEs)

Azure (7 CVEs)

365 Apps for Enterprise (7 CVEs)

Workplace (7 CVEs)

Edge (3 CVE)

.NET (2 CVE)

Azure Linux (2 CVE)

CBL-Mariner (2 CVE)

Visible Studio (2 CVE)

App Installer (1 CVE)

Dynamics 365 (1 CVE)

OfficePlus (1 CVE)

Outlook (1 CVE)

PowerPoint (1 CVE)

Undertaking (1 CVE)

Groups (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a listing of advisories and data on different related CVEs within the August Microsoft launch, sorted by product.

Related to Edge / Chromium (9 CVEs)

Servicing Stack Updates (1 merchandise)

Beforehand Launched; Info Lacking from Earlier Patch Tuesday Knowledge (5 CVEs)

Beforehand Launched (Cloud); Info Offered as Advisory Solely (3 objects)

Related to Adobe (non-Microsoft launch) (12 CVEs)

Appendix E: CVEs Related to CBL-Mariner / Azure Linux

The knowledge on these CVEs, which originated with an assortment of CNAs, is usually fairly totally different in nature from that offered for CVEs addressed in Microsoft’s Patch Tuesday course of. Typically such CVEs haven’t any title, or no out there CVSS scoring. For this desk, we’ve got chosen to easily listing the CVEs as famous in Microsoft’s personal abstract info.