Microsoft Releases Patch to Address 90 Vulnerabilities in Windows

Microsoft has released an update to fix at least 90 security vulnerabilities in Windows and related software, including six 0-day vulnerabilities that are being actively exploited by attackers.

This month's Windows update from Microsoft includes patches for vulnerabilities in Office, .NET, Visual Studio, Azure, Copilot, Microsoft Dynamics, Teams, Secure Boot, and, of course, Windows itself. Of the six 0-day vulnerabilities addressed by Microsoft this month, half are local privilege escalation vulnerabilities, meaning they are primarily useful to attackers when combined with other vulnerabilities or access methods.

CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 all allow attackers to gain system-level privileges on vulnerable machines, although these vulnerabilities are located in different parts of the Windows operating system. Microsoft provides very little information about the latter two vulnerabilities, aside from noting that they are being actively exploited. CVE-2024-38106, on the other hand, exists in the Windows Kernel and is being actively exploited with a high level of complexity.

Another 0-day vulnerability this month is CVE-2024-38178, which allows remote code execution when the integrated Windows Edge browser is operating in "Internet Explorer Mode." By default, IE Mode is not enabled in Edge, but it can be turned on to work with older websites or applications that are not supported by modern Chromium-based browsers.

CVE-2024-38213 is a 0-day vulnerability that allows malware to bypass "Mark of the Web," a security feature in Windows that flags files downloaded from the internet as untrusted (this feature is responsible for the "Windows protected your PC" popup that appears when opening files downloaded from the web).

The final 0-day vulnerability discovered is CVE-2024-38189, a remote code execution vulnerability in Microsoft Project. However, Microsoft and several security companies note that this vulnerability only affects users who have disabled security risk notifications when running VBA Macros in Microsoft Project.

Windows users who are still supported should update their systems with the August security updates from Microsoft by going to Settings and selecting Windows Update to download and install the patches.