August Patch Tuesday goes big

Microsoft’s August 2024 Patch Tuesday release was, in one sense, a respite from July’s 138-CVE torrent of fixes, with just 85 CVEs addressed in the main release. However, with over two dozen advisories, a number of “informational” notices concerning material released in June and July, two high-profile issues for which the fixes are still a work in progress, and over 85 Linux-related CVEs covered in the release, administrators may find their patch prioritization especially complex this month.

At patch time, five of the issues addressed are known to be under exploit in the wild. Three more are publicly disclosed. Microsoft assesses that 11 CVEs, all in Windows, are by the company’s estimation more likely to be exploited in the next 30 days. Nine of this month’s issues are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, the release includes advisory information on 12 patches from Adobe, nine for Edge via Chrome (in addition to three Edge patches from Microsoft), and the regularly released servicing stack update (ADV990001). The company also provided information on five CVEs addressed earlier this summer but not announced in their respective months (one in June, four in July). We will list those in Appendix D below; those who have already applied the patches for those months are already protected and need not apply them again. (It should be noted that one issue patched in June, CVE-2024-38213, is under active attack in the wild – a good argument for applying patches as soon as possible after release.) Microsoft also took pains this month to flag three other CVEs for which fixes have already gone out, but that are included in Patch Tuesday information for transparency’s sake; we list those in Appendix D as well. We are as always including at the end of this post additional appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

Finally, this month’s release includes a large cohort of CVEs related to CBL-Mariner, or in some cases to both Mariner and Azure Linux. (Mariner was renamed Azure Linux earlier this year, but the information provided by Microsoft on these CVEs differentiates between the two.) The CVEs come from a timespan from 2007 to 2024; the CVSS base scores range from 3.2 to a “perfect” 10.  Those CVEs are not included in the data in the main part of this post, but we have listed all 84 CVEs in Appendix E at the end of this article for reference. Two additional Mariner / Azure Linux CVEs also touch Windows, and those two are included in the statistics in the main article as well as in Appendix E’s list.

The data in the main part of this post reflects only the 85 CVEs in the non-Mariner, non-advisory portion of the release.

By the numbers

• Total CVEs: 85
• Total Edge / Chrome advisory issues covered in update: 9 (plus 3 non-advisory Edge issues)
• Total non-Edge Microsoft advisory issues covered in update: 9
• Total Adobe issues covered in update: 12
• Publicly disclosed: 3
• Exploited: 5
• Severity
  • Critical: 6
  • Important: 77
  • Moderate: 2
• Impact
  • Elevation of Privilege: 32
  • Remote Code Execution: 31
  • Information Disclosure: 8
  • Denial of Service: 6
  • Spoofing: 6
  • Security Feature Bypass: 2

Figure 1: The six critical-severity vulnerabilities addressed in August’s Patch Tuesday release include the second this year involving security feature bypass. (This chart does not represent the Mariner-related issues discussed elsewhere in this article)

Products

• Windows: 62
• Azure: 7
• 365 Apps for Enterprise: 7
• Office: 7
• Edge: 3 (plus 9 advisories via Chrome)
• .NET: 2
• Azure Linux: 2
• CBL-Mariner: 2
• Visual Studio: 2
• App Installer: 1
• Dynamics 365: 1
• OfficePlus: 1
• Outlook: 1
• PowerPoint: 1
• Project: 1
• Teams: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect.

Figure 2: A wide variety of product families are affected by August’s patches; at least one, App Installer, is so obscure that Microsoft has included a link to information on it in the release itself, including information on updating it via winget. Still, Windows as ever rules the roost

Notable August updates

In addition to the issues discussed above, a number of specific items merit attention.

CVE-2024-21302 – Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVE-2024-38202 – Windows Update Stack Elevation of Privilege Vulnerability

These two Important-severity issued were debuted by researcher Alon Leviev last week at Black Hat last week after a prolonged responsible-disclosure process. Microsoft has been working on the solution for six months, but it needs a little more time to untangle this complex issue with Virtualization-Based Security (VBS). For now, Microsoft is publishing mitigation information for both CVE-2024-21302 and CVE-2024-38202 on their site.

CVE-2024-38063 – Windows TCP/IP Remote Code Execution Vulnerability

There are three CVEs in this release with a 9.8 CVSS base score, but only this one has the distinction of also being, in Microsoft’s estimation, more likely to be exploited in the next thirty days. That’s unfortunate, because this critical-severity RCE bug requires neither privileges nor user interaction. An attacker could exploit this issue by repeatedly sending IPv6 packets, with specially crafted IPv6 packets mixed in, to a Windows machine with IPv6 enabled. (Machines that have IPv6 disabled would not be affected by this attack.) Sophos has released protections (Exp/2438063-A) for this issue, as noted in the table below.

CVE-2024-38213 – Windows Mark of the Web Security Feature Bypass Vulnerability

This issue is one of the five noted above that was actually patched months ago (in this case, June 2024). Those who have applied the patches released in June are protected; those who have not applied the patches should do so, as the issue is currently under active attack.

[42 CVEs] Windows 11 24H2 patches, already

Even though Windows 11 24H2 is not yet in general release, just under half of the issues addressed this month apply to that operating system. Users of the new Copilot+ PCs who do not ingest their patches automatically should be sure to update their devices; those who do should have taken all the relevant patches with the latest cumulative update, which elevates those devices to Build 26100.1457.

Figure 3: With a total of 659 CVEs addressed in Patch Tuesday releases so far in 2024, Microsoft’s dealing with a far heavier volume than they were at this point in 2023 (491 patches), but a bit less than they handled in 2022 (690 patches). That said, this table does not include the 84 Mariner-released CVEs discussed elsewhere in this post

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of August patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (32 CVEs)

Remote Code Execution (31 CVEs)

Information Disclosure (8 CVEs)

Denial of Service (6 CVEs)

Spoofing (6 CVEs)

Security Feature Bypass (2 CVEs)

Appendix B: Exploitability

This is a list of the August CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE. This table does not include CVE-2024-38213, which was released in June.

Appendix C: Products Affected

This is a list of August’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (62 CVEs)

Azure (7 CVEs)

365 Apps for Enterprise (7 CVEs)

Office (7 CVEs)

Edge (3 CVE)

.NET (2 CVE)

Azure Linux (2 CVE)

CBL-Mariner (2 CVE)

Visual Studio (2 CVE)

App Installer (1 CVE)

Dynamics 365 (1 CVE)

OfficePlus (1 CVE)

Outlook (1 CVE)

PowerPoint (1 CVE)

Project (1 CVE)

Teams (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the August Microsoft release, sorted by product.

Relevant to Edge / Chromium (9 CVEs)

Servicing Stack Updates (1 item)

Previously Released; Information Missing from Previous Patch Tuesday Data (5 CVEs)

Previously Released (Cloud); Information Provided as Advisory Only (3 items)

Relevant to Adobe (non-Microsoft release) (12 CVEs)

Appendix E: CVEs Relevant to CBL-Mariner / Azure Linux

The information on these CVEs, which originated with an assortment of CNAs, is often rather different in nature from that provided for CVEs addressed in Microsoft’s Patch Tuesday process. Often such CVEs have no title, or no available CVSS scoring. For this table, we have chosen to simply list the CVEs as noted in Microsoft’s own summary information.