By Satnam Narang, Senior Staff Research Engineer, Tenable
“This month, Microsoft patched two zero-day vulnerabilities that can bypass security features in Microsoft Office and Windows Mark of the Web. Both vulnerabilities were exploited in the wild, though specifics about these attacks were not publicly disclosed, though given the prevalence of Microsoft Office and Windows Mark of the Web, these vulnerabilities should be at the top of the remediation list.
CVE-2024-38226 is a flaw in Microsoft Publisher, a standalone application that is also included in some versions of Microsoft Office. CVE-2024-38217 is a vulnerability in Mark of the Web, an important security feature in Microsoft Windows that flags or blocks content from files downloaded from the internet.
Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running. In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226.
CVE-2024-38217 is the second zero-day vulnerability in Mark of the Web that was exploited in the wild. In August, Microsoft published an advisory for CVE-2024-38213, which was actually fixed as part of its June 2024 Patch Tuesday release, but it was “inadvertently omitted” from that release. CVE-2024-38213, also known as “Copy2Pwn,” was linked to the DarkGate campaign, which included the use of another zero-day vulnerability – CVE-2024-21412. Water Hydra, the advanced persistent threat (APT) group behind the DarkGate campaign, appears to have a penchant for discovering and exploiting zero-day security feature bypass vulnerabilities, though it is unclear if CVE-2024-38217 is attributable to the group.
Microsoft also fixed CVE-2024-38014, a Windows Installer elevation of privilege flaw that was also exploited in the wild as a zero-day. Flaws like CVE-2024-38014 are part of post-compromise activity, whereby an attacker has obtained access to a target system and will exploit these types of vulnerabilities in order to elevate privileges to enable further compromise. How these attackers gain access to these systems can vary, whether it’s through exploitation of other vulnerabilities, spear phishing or brute force attacks. Because elevation of privilege vulnerabilities are related to post-compromise activity, they may not receive as much attention as remote code execution bugs, but they are highly valuable to attackers as they are able to inflict more damage or compromise more data. It is important for organizations to ensure they patch these flaws to cut off attack paths and prevent future compromise.
In addition to these zero-day vulnerabilities, Microsoft also corrected a vulnerability in its Servicing Stack that led to the rollback of fixes for specific versions of Windows 10 affecting some Optional Components. Identified as CVE-2024-43491, it is labeled as “Exploitation Detected” which implies that it was exploited in the wild. However, it appears to be labeled this way because the rollback of fixes reintroduced vulnerabilities in the Optional Components that were previously known to be exploited. To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates.”