This month Microsoft released patches for 88 vulnerabilities with 7 rated “Critical” in severity.

All new patches will be approved in our patch policy.

Fewer vulnerabilities this month but they include six zero-day patches.

• CVE-2024-38178 is a memory corruption within the scripting engine. Authenticated users would need to click a link in Microsoft Edge using Internet Explorer mode.
• CVE-2024-38213 is a zero-day flaw that allows malware to bypass the “Mark of the Web.”
• A TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063) will not affect systems with IPv6 disabled on the target machine.
• Privilege escalation vulnerabilities CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 could allow attackers to gain SYSTEM privileges.
• Also two new zero-days (CVE-2024-38202,CVE-2024-21302) were  demonstrated last month at Black Hat 2024. These “Windows Downdate” downgrade attacks force an up-to-date target device to roll back to older, unprotected software versions.
• There is still no patch for CVE-2024-38202 – ADV24216903 below. Some new stand-alone SSUs for Windows Server 2012/2012R2 and Windows 10 1607/Server 2016.

Disclosed: CVE-2024-21302, CVE-2024-38199, CVE-2024-38200, CVE-2024-38202

Exploited: CVE-2024-38106, CVE-2024-38107, CVE-2024-38178, CVE-2024-38189, CVE-2024-38193, CVE-2024-38213

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:8/13/2024)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

ADV24216903 | Windows Elevation of Privilege Vulnerability Chain Mitigation Guidance (Published:8/7/2024)

https://msrc.microsoft.com/update-guide/advisory/ADV24216903

We are publishing this MSRC advisory to explain the risks posed by chaining these vulnerabilities and raise awareness of the mitigation guidance available to customers due to the potential for the threat landscape to change. Customers concerned with the risks stemming from this vulnerability chain should reference the Customer Guidance section for more information.

FYI – Bitlocker issues new and old

Late last month Microsoft acknowledged the July updates could cause BitLocker to go into recovery mode on some systems . The problem has been resolved with the August update. Also the notorious January Bitlocker updates causing 0x80070643 errors has been replaced.

Devices might boot into BitLocker recovery with the July 2024 security update

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#357msgdesc

CVE-2024-38058: BitLocker Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38058

When customers applied the fix for this vulnerability to their devices, we received feedback about firmware incompatibility issues that were causing BitLocker to go into recovery mode on some devices. As a result, with the release of the August 2024 security updates we are disabling this fix. Customers who want this protection can apply the mitigations described in KB5025885.

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38058

BitLocker Security Feature Bypass Vulnerability (KB5034439/KB5034440/KB5034441)

Windows updates causing 0x80070643 errors replaced. The new update will not try to install if the Windows Recovery Environment (WinRE) does not have the required 250 MB free.

• KB5042322 replaces KB5034439
• KB5042321 replaces KB5034440
• KB5042320 replaces KB5034441

Known Issues

Microsoft acknowledged a problem affecting Remote Desktop Connectivity

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Windows Servers might affect Remote Desktop Connectivity across an organization.

Affects: Windows Server 2022/2019/2016/2012/2012R2 and Windows 10  1607/1809

https://support.microsoft.com/en-us/topic/august-13-2024-kb5041160-os-build-20348-2655-e186b7ab-3d1b-4f6e-a959-f3e5d0bad3df

Symptom: After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.

This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

Workaround: To work around this issue, use one of the following options:

Option 1: Disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.

This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.

Option 2: Edit the registry of client devices and set the value of RDGClientTransport to 0x00000000 (0)

In Windows Registry Editor, navigate to the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client

Find RDGClientTransport and set its value to 0 (zero). This changes the value of RDGClientTransport to 0x00000000 (0).

Status: We are working on a resolution and will provide an update in an upcoming release.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5041828 – Windows Server 2012 R2 (ESU)
• KB5041851 – Windows Server 2012 (ESU)

Cumulative Updates

Windows 10

• KB5041782 – Original release version 1507 (OS Build 10240)
• KB5041773 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5041578 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5041580 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5041580 – Version 22H2 “November 2022 Update” (OS Build 19045)
• (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

• KB5041592 – 21H2 (OS Build 22000) Original release
• KB5041585 – 22H2 (OS Build 22621)
• KB5041585 – 23H2 (OS Build 22631)

Windows Server

• KB5041773 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5041578 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5041160 – Server 2022 (OS Build 20348)
• KB5041573 – Server 23H2 (OS Build 25398)

Internet Explorer

• KB5041770 – Cumulative security update for Internet Explorer

August 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/august-2024-updates-for-microsoft-office-72359d78-f0b3-4ad8-9fcd-c01bf2a32f51

Notable CVEs

CVE-2024-38063 | Windows TCP/IP Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38063

An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.

CVE-2024-38106 | Windows Kernel Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38106

Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-38107 | Windows Power Dependency Coordinator Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38107

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-38109 | Azure Health Bot Elevation of Privilege Vulnerability (Fully mitigated by Microsoft)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38109

An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency.

CVE-2024-38178 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup/KB5041770)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38178

This attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution. Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2024-38193 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-38199 | Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup/KB5041770)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38199

An unauthenticated attacker could send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network. Successful exploitation could result in remote code execution on the server.

CVE-2024-38202 | Windows Update Stack Elevation of Privilege Vulnerability (None)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-38206 | Microsoft Copilot Studio Information Disclosure Vulnerability (Fully mitigated by Microsoft)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38206

An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. This purpose of this CVE is to provide further transparency.

CVE-2024-38213 | Windows Mark of the Web Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38213

An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it.

CVE-2024-21302 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.